97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2025 04:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Size

576KB
MD5

474cb2f66478f9fbcc9265aa1b1e688e
SHA1

89c8bc9f3e577e4e2c491624c9d464a7fa17e549
SHA256

97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a
SHA512

311b71f672fbb2bf37a08b1b4b2da14311ce0e6a3e564d19c99ce85f8a65ab61df3307f459a34c077289bba23fdfb08e12aec06ede100a51084b2abbfff9f253
SSDEEP

12288:3R+lB7X/h6XFRbf0ez0npM4dl0v5Jdm5IpXt1U:36Ph6XFRbf0ezEM4dmv5BJtO

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4432	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe

Executes dropped EXE 1 IoCs

pid	Process
4432	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 24 IoCs

pid	pid_target	Process	procid_target
2500	2168	WerFault.exe	82
2184	4432	WerFault.exe	89
5092	4432	WerFault.exe	89
4884	4432	WerFault.exe	89
4976	4432	WerFault.exe	89
2880	4432	WerFault.exe	89
1076	4432	WerFault.exe	89
3064	4432	WerFault.exe	89
4720	4432	WerFault.exe	89
2716	4432	WerFault.exe	89
4436	4432	WerFault.exe	89
400	4432	WerFault.exe	89
5040	4432	WerFault.exe	89
2704	4432	WerFault.exe	89
3308	4432	WerFault.exe	89
3240	4432	WerFault.exe	89
1488	4432	WerFault.exe	89
4256	4432	WerFault.exe	89
3532	4432	WerFault.exe	89
4628	4432	WerFault.exe	89
2356	4432	WerFault.exe	89
4852	4432	WerFault.exe	89
1056	4432	WerFault.exe	89
888	4432	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe

Modifies registry class 20 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Key created	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Key created	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Key created	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Key created	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Key created	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Key created	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Key created	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Key created	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Key created	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2168	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4432	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4432	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 4432	2168	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe	89
PID 2168 wrote to memory of 4432	2168	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe	89
PID 2168 wrote to memory of 4432	2168	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe	89

C:\Users\Admin\AppData\Local\Temp\97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
"C:\Users\Admin\AppData\Local\Temp\97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 384
  2⤵
  - Program crash
  PID:2500
- C:\Users\Admin\AppData\Local\Temp\97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
  C:\Users\Admin\AppData\Local\Temp\97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of UnmapMainImage
  PID:4432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 352
    3⤵
    - Program crash
    PID:2184
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 912
    3⤵
    - Program crash
    PID:5092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1200
    3⤵
    - Program crash
    PID:4884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1224
    3⤵
    - Program crash
    PID:4976
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1244
    3⤵
    - Program crash
    PID:2880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1292
    3⤵
    - Program crash
    PID:1076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1344
    3⤵
    - Program crash
    PID:3064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1372
    3⤵
    - Program crash
    PID:4720
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1528
    3⤵
    - Program crash
    PID:2716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1484
    3⤵
    - Program crash
    PID:4436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1644
    3⤵
    - Program crash
    PID:400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1668
    3⤵
    - Program crash
    PID:5040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1692
    3⤵
    - Program crash
    PID:2704
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1884
    3⤵
    - Program crash
    PID:3308
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1740
    3⤵
    - Program crash
    PID:3240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 2112
    3⤵
    - Program crash
    PID:1488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 2072
    3⤵
    - Program crash
    PID:4256
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 2188
    3⤵
    - Program crash
    PID:3532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1648
    3⤵
    - Program crash
    PID:4628
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 2228
    3⤵
    - Program crash
    PID:2356
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 2220
    3⤵
    - Program crash
    PID:4852
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 2228
    3⤵
    - Program crash
    PID:1056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1892
    3⤵
    - Program crash
    PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2168 -ip 2168
1⤵
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4432 -ip 4432
1⤵
PID:620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4432 -ip 4432
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4432 -ip 4432
1⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4432 -ip 4432
1⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4432 -ip 4432
1⤵
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4432 -ip 4432
1⤵
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4432 -ip 4432
1⤵
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4432 -ip 4432
1⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4432 -ip 4432
1⤵
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4432 -ip 4432
1⤵
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4432 -ip 4432
1⤵
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4432 -ip 4432
1⤵
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4432 -ip 4432
1⤵
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4432 -ip 4432
1⤵
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4432 -ip 4432
1⤵
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4432 -ip 4432
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4432 -ip 4432
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4432 -ip 4432
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4432 -ip 4432
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4432 -ip 4432
1⤵
PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4432 -ip 4432
1⤵
PID:952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4432 -ip 4432
1⤵
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4432 -ip 4432
1⤵
PID:4056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe

Filesize
576KB

MD5
543786d411a29f555139c8ab102fe096

SHA1
f313ec355b7cf78a63c5d960b3ee6e89b883c5f3

SHA256
9486dfbd1a490a0bbc5189fab2771c808ec4e31b705e83e130a40a59a647a5de

SHA512
50a2fa28b7f17cd03a252a3b021586036760795fed10e69c2958e24be980c69eb0085f8d59d4a619c058bb79e15c74cf506f5f4e04a5438eb1816eadd1fbb2c2

Download Submit
memory/2168-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4432-6-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4432-7-0x00000000014A0000-0x00000000014E0000-memory.dmp

Filesize
256KB

Download
memory/4432-8-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4432-14-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download