4e6b4a6b0f88369b10ab84afe4529ea7b4784707b3b5caa882e41050abbc6549

Analysis

max time kernel
95s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2025 03:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

723-130-2025.exe
Size

1.1MB
MD5

1cf5ecd1b8b508ae3c6a04a3341439f3
SHA1

e97b3bb75997b8faa8d54975e8dec5b3cd0f3a71
SHA256

a82f8608d3e988686365f5a95c721ed3669a088b4f48181cac546e85a1c81104
SHA512

e676a40018ba9e46290c6b15cbe444ec966467a531e2cc3a65939fa36d90c467f22a6baa5277443ce314e1f663d937519a26574f4920850663c67a539f4832a4
SSDEEP

24576:mAHnh+eWsN3skA4RV1Hom2KXFmIaQhxZhzOq3Q5:Bh+ZkldoPK1XaQhxZtJm

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4364 set thread context of 828	4364	723-130-2025.exe	85

Program crash 2 IoCs

pid	pid_target	Process	procid_target
628	4364	WerFault.exe	81
3956	828	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	723-130-2025.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4364	723-130-2025.exe
4364	723-130-2025.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4364	723-130-2025.exe
4364	723-130-2025.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4364	723-130-2025.exe
4364	723-130-2025.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 828	4364	723-130-2025.exe	85
PID 4364 wrote to memory of 828	4364	723-130-2025.exe	85
PID 4364 wrote to memory of 828	4364	723-130-2025.exe	85
PID 4364 wrote to memory of 828	4364	723-130-2025.exe	85

C:\Users\Admin\AppData\Local\Temp\723-130-2025.exe
"C:\Users\Admin\AppData\Local\Temp\723-130-2025.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Windows\SysWOW64\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\723-130-2025.exe"
  2⤵
  PID:828
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 192
    3⤵
    - Program crash
    PID:3956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 732
  2⤵
  - Program crash
  PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4364 -ip 4364
1⤵
PID:1016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 828 -ip 828
1⤵
PID:668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut72C0.tmp

Filesize
264KB

MD5
db188804ef5ffa5fafa804b555dd40b9

SHA1
a181d975979f35d6ca17a736d3c143a75e63e6d7

SHA256
0c302426b73d5cb269aad18c78dc2616f5faeb1a0b2b88b999d6cd623f8cb723

SHA512
d872aba3b3e78e2c6f0094d724bacee36289a27e08de596bd047f673d3cd3c429bd6001b076cf79bdd5f9174815f361b10a6ea2923ca3dfdcdb84f184eddeae8

Download Submit
memory/828-14-0x0000000000690000-0x00000000006D2000-memory.dmp

Filesize
264KB

Download
memory/4364-13-0x0000000000E80000-0x0000000001280000-memory.dmp

Filesize
4.0MB

Download