5d97127302fd36f004e1a29c4e2cd8583ae6940fe5f16d1c8454885ae288cd8b

General

Target

START_ME.exe
Size

981KB
MD5

e3484a2aa73999f679732235728cc7e0
SHA1

800d1156db2a05ad9856741588cedb6b56185ac3
SHA256

343a5cbc98aff11e7d0ec6582e953df9bf3f0ecd41bead7365f13a382d64721e
SHA512

02eaf2e42898430fd08a82bd7c43d297ec188d4d98495c73059923a75c40b58d2a7def37b84e13ac8de8fca88175284121634a71ea187171dbb283dd366dabd9

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2324 created 3352 2324 WerFault.exe GUP.exe
Executes dropped EXE 1 IoCs

Processes:

GUP.exe

pid process

3352 GUP.exe
Loads dropped DLL 1 IoCs

Processes:

GUP.exe

pid process

3352 GUP.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2324 3352 WerFault.exe GUP.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3504 tasklist.exe
Modifies registry class 1 IoCs

Processes:

calc.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings calc.exe

description	pid	process	target process
PID 2324 created 3352	2324	WerFault.exe	GUP.exe

pid	process
3352	GUP.exe

pid	process
3352	GUP.exe

pid	pid_target	process	target process
2324	3352	WerFault.exe	GUP.exe

pid	process
3504	tasklist.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	calc.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

simulation.exeWerFault.exe

pid	process
2904	simulation.exe
2904	simulation.exe
2324	WerFault.exe
2324	WerFault.exe
2324	WerFault.exe
2324	WerFault.exe
2324	WerFault.exe
2324	WerFault.exe
2324	WerFault.exe
2324	WerFault.exe
2324	WerFault.exe
2324	WerFault.exe
2324	WerFault.exe
2324	WerFault.exe
2324	WerFault.exe
2324	WerFault.exe
2324	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

1708 OpenWith.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WerFault.exetasklist.exe

description pid process

Token: SeDebugPrivilege 2324 WerFault.exe
Token: SeDebugPrivilege 3504 tasklist.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

1708 OpenWith.exe

pid	process
1708	OpenWith.exe

description	pid	process
Token: SeDebugPrivilege	2324	WerFault.exe
Token: SeDebugPrivilege	3504	tasklist.exe

pid	process
1708	OpenWith.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

START_ME.exesimulation.execmd.execmd.exeGUP.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 64 wrote to memory of 2904	64	START_ME.exe	simulation.exe
PID 64 wrote to memory of 2904	64	START_ME.exe	simulation.exe
PID 64 wrote to memory of 2904	64	START_ME.exe	simulation.exe
PID 2904 wrote to memory of 3460	2904	simulation.exe	cmd.exe
PID 2904 wrote to memory of 3460	2904	simulation.exe	cmd.exe
PID 2904 wrote to memory of 3460	2904	simulation.exe	cmd.exe
PID 3460 wrote to memory of 1008	3460	cmd.exe	cmd.exe
PID 3460 wrote to memory of 1008	3460	cmd.exe	cmd.exe
PID 3460 wrote to memory of 1008	3460	cmd.exe	cmd.exe
PID 1008 wrote to memory of 3352	1008	cmd.exe	GUP.exe
PID 1008 wrote to memory of 3352	1008	cmd.exe	GUP.exe
PID 3352 wrote to memory of 1524	3352	GUP.exe	cmd.exe
PID 3352 wrote to memory of 1524	3352	GUP.exe	cmd.exe
PID 1524 wrote to memory of 1328	1524	cmd.exe	calc.exe
PID 1524 wrote to memory of 1328	1524	cmd.exe	calc.exe
PID 2904 wrote to memory of 992	2904	simulation.exe	cmd.exe
PID 2904 wrote to memory of 992	2904	simulation.exe	cmd.exe
PID 2904 wrote to memory of 992	2904	simulation.exe	cmd.exe
PID 992 wrote to memory of 3504	992	cmd.exe	tasklist.exe
PID 992 wrote to memory of 3504	992	cmd.exe	tasklist.exe
PID 992 wrote to memory of 3504	992	cmd.exe	tasklist.exe
PID 2904 wrote to memory of 1332	2904	simulation.exe	cmd.exe
PID 2904 wrote to memory of 1332	2904	simulation.exe	cmd.exe
PID 2904 wrote to memory of 1332	2904	simulation.exe	cmd.exe
PID 1332 wrote to memory of 2912	1332	cmd.exe	cmd.exe
PID 1332 wrote to memory of 2912	1332	cmd.exe	cmd.exe
PID 1332 wrote to memory of 2912	1332	cmd.exe	cmd.exe
PID 2912 wrote to memory of 1236	2912	cmd.exe	at.exe
PID 2912 wrote to memory of 1236	2912	cmd.exe	at.exe
PID 2912 wrote to memory of 1236	2912	cmd.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\START_ME.exe
"C:\Users\Admin\AppData\Local\Temp\START_ME.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:64

C:\Users\Admin\AppData\Local\Temp\assets\simulation.exe
"assets\simulation.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cmd.exe /cC:\Users\Admin\AppData\Local\Temp\GUP.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3460

C:\Windows\SysWOW64\cmd.exe
cmd.exe /cC:\Users\Admin\AppData\Local\Temp\GUP.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1008

C:\Users\Admin\AppData\Local\Temp\GUP.exe
C:\Users\Admin\AppData\Local\Temp\GUP.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c calc.exe
6⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\system32\calc.exe
calc.exe
7⤵
- Modifies registry class
PID:1328

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3352 -s 404
6⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist
3⤵
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cmd.exe /c at 13:20 /interactive cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c at 13:20 /interactive cmd
4⤵
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\SysWOW64\at.exe
at 13:20 /interactive cmd
5⤵
PID:1236

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1708

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

1

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GUP.exe
MD5
67baa5943ac95009acc6d9ec46875462

SHA1
678855f7001bbe90651063fbdc6c3113afb8a33e

SHA256
b94a58c21019d2ce2d1ab6c5a4d6229a88dd71c486c31f94c6c566e792df7378

SHA512
8efd270c9019505569c654ebac28755fd5264db777ad89dc7698e62a86325a1633bb6c8e3fb0bb6bf06cd3432d00626710c62cc3503b3fef97fe5d40855fb1a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUP.exe
MD5
67baa5943ac95009acc6d9ec46875462

SHA1
678855f7001bbe90651063fbdc6c3113afb8a33e

SHA256
b94a58c21019d2ce2d1ab6c5a4d6229a88dd71c486c31f94c6c566e792df7378

SHA512
8efd270c9019505569c654ebac28755fd5264db777ad89dc7698e62a86325a1633bb6c8e3fb0bb6bf06cd3432d00626710c62cc3503b3fef97fe5d40855fb1a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl.dll
MD5
fa740b2afb0bf1bcf090ef6115f2c562

SHA1
859082fbee4549f60c2f41bdb7bd759a6e890e82

SHA256
3c6b09f5b81b9a7c973b0c7730a6362f2f19efb585fff9760834de94db664fe0

SHA512
9882ed14171366dd6becb9be41d706056c74b557718d9ac387b07450c8d5a797d25ea916f65da3224605c3cf319c157d83159cba0b8cfd6f5306a38645de774d

Download Submit
C:\Users\Admin\AppData\Local\Temp\msp.log
MD5
684bb7accc86e047d744f547f37ffab0

SHA1
0fc97f22f30ed6062d5bb0e1694b77c0b20a4e64

SHA256
99dfb36000cbf33c2d7fd765f31f4f67a5f0737627e2ff0d02b3c21b1e51b634

SHA512
68c42e6cb2e0a04b77b7bccbfcfff3a818882d3b85b0c7d03152c426617bb6b9e347d4ad2015f5b7f4cfe269e15fdf8c56b909df45a647d3c810527606d08112

Download Submit
C:\Users\Admin\AppData\Local\Temp\msp.log
MD5
8ed15490aa7f8406ae18a61290f8f3ce

SHA1
8230ab16e2b0ed8430d109732b5f9098bd1ef01e

SHA256
4f1621bd5974c3279369002a97d1d0e70b3558c9cbccb32b1bd6e72ed23832af

SHA512
3b7b9d5f1bd553a1d15c8c285e717312235277957ea4b6ef7fb053253ddf94484b5e24aef3342a8b2a9b52e228a960b196d3ea18b6149ffcadf5f70fd8d7c99d

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl.dll
MD5
fa740b2afb0bf1bcf090ef6115f2c562

SHA1
859082fbee4549f60c2f41bdb7bd759a6e890e82

SHA256
3c6b09f5b81b9a7c973b0c7730a6362f2f19efb585fff9760834de94db664fe0

SHA512
9882ed14171366dd6becb9be41d706056c74b557718d9ac387b07450c8d5a797d25ea916f65da3224605c3cf319c157d83159cba0b8cfd6f5306a38645de774d

Download Submit
memory/992-15-0x0000000000000000-mapping.dmp

Download
memory/1008-5-0x0000000000000000-mapping.dmp

Download
memory/1236-19-0x0000000000000000-mapping.dmp

Download
memory/1328-12-0x0000000000000000-mapping.dmp

Download
memory/1332-17-0x0000000000000000-mapping.dmp

Download
memory/1524-11-0x0000000000000000-mapping.dmp

Download
memory/2324-13-0x000001CBDE750000-0x000001CBDE751000-memory.dmp

Filesize
4KB

Download
memory/2904-2-0x0000000000000000-mapping.dmp

Download
memory/2904-3-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/2912-18-0x0000000000000000-mapping.dmp

Download
memory/3352-6-0x0000000000000000-mapping.dmp

Download
memory/3460-4-0x0000000000000000-mapping.dmp

Download
memory/3504-16-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing