Analysis
-
max time kernel
4294183s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
11-03-2022 12:17
Static task
static1
Behavioral task
behavioral1
Sample
U prilogu potvrda narudzbe.exe
Resource
win7-20220310-en
windows7_x64
0 signatures
0 seconds
General
-
Target
U prilogu potvrda narudzbe.exe
-
Size
1.2MB
-
MD5
33d5b6d2a768ee702bb7d345424e68c4
-
SHA1
09c324347674dc1530b282c816117c83244dc9e0
-
SHA256
7397f5b9dcb22b5032f825681a1158f362b3485a120f0fecbc51f1b1c5ca6a52
-
SHA512
f80ee4c924e2d48660a3ca119e267a5d30d8ab25972123997016dca9524302fe2bd38e698ffb560b4dc75f8c28206ff8f19ae3b8bbf2024ac088d2f2768700c3
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
U prilogu potvrda narudzbe.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qbesszq = "C:\\Users\\Public\\qzssebQ.url" U prilogu potvrda narudzbe.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1892 1188 WerFault.exe logagent.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
U prilogu potvrda narudzbe.exelogagent.exedescription pid process target process PID 1632 wrote to memory of 1188 1632 U prilogu potvrda narudzbe.exe logagent.exe PID 1632 wrote to memory of 1188 1632 U prilogu potvrda narudzbe.exe logagent.exe PID 1632 wrote to memory of 1188 1632 U prilogu potvrda narudzbe.exe logagent.exe PID 1632 wrote to memory of 1188 1632 U prilogu potvrda narudzbe.exe logagent.exe PID 1632 wrote to memory of 1188 1632 U prilogu potvrda narudzbe.exe logagent.exe PID 1632 wrote to memory of 1188 1632 U prilogu potvrda narudzbe.exe logagent.exe PID 1632 wrote to memory of 1188 1632 U prilogu potvrda narudzbe.exe logagent.exe PID 1188 wrote to memory of 1892 1188 logagent.exe WerFault.exe PID 1188 wrote to memory of 1892 1188 logagent.exe WerFault.exe PID 1188 wrote to memory of 1892 1188 logagent.exe WerFault.exe PID 1188 wrote to memory of 1892 1188 logagent.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\U prilogu potvrda narudzbe.exe"C:\Users\Admin\AppData\Local\Temp\U prilogu potvrda narudzbe.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\logagent.exeC:\Windows\System32\logagent.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 1403⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1188-60-0x0000000072480000-0x00000000724AE000-memory.dmpFilesize
184KB
-
memory/1188-62-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/1632-54-0x0000000076141000-0x0000000076143000-memory.dmpFilesize
8KB
-
memory/1632-55-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/1632-57-0x0000000000400000-0x0000000000531000-memory.dmpFilesize
1.2MB
-
memory/1632-59-0x0000000004696000-0x0000000004697000-memory.dmpFilesize
4KB