c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975

Analysis

max time kernel
151s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2022, 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
Size

365KB
MD5

590d2edfd1ad69275c0c06c72aa49241
SHA1

9b4ce1a38ec9ee7e6388a62a60c6ce88a23f8c3a
SHA256

c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975
SHA512

efb098a7007fda000b382a938ec22e374766750b68dcfa559bd8357fd903bd056a0b9aae117a110c72d45268b9b5d3aed4b98b5d99bf31f026dda29a78c2a6e3
SSDEEP

6144:wQhbKAkbPALCDs7Wip0PzRW7Eh66+k2EK9u2VsX7AH+QP/rGllLhAGUX:eAkPAyVikzSc660tVU+v7obU

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4260	hH05800EhAoJ05800.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4904-133-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/4260-137-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/4904-138-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/4260-139-0x0000000000400000-0x00000000004C7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hH05800EhAoJ05800 = "C:\\hH05800EhAoJ05800\\hH05800EhAoJ05800.exe"	hH05800EhAoJ05800.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4232	4904	WerFault.exe	81
3240	4260	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4260	hH05800EhAoJ05800.exe
4260	hH05800EhAoJ05800.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4260	hH05800EhAoJ05800.exe
4260	hH05800EhAoJ05800.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4260	hH05800EhAoJ05800.exe
4260	hH05800EhAoJ05800.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
4260	hH05800EhAoJ05800.exe
4260	hH05800EhAoJ05800.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
Token: SeDebugPrivilege	4260	hH05800EhAoJ05800.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4260	hH05800EhAoJ05800.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 4260	4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe	89
PID 4904 wrote to memory of 4260	4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe	89
PID 4904 wrote to memory of 4260	4904	c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe	89

C:\Users\Admin\AppData\Local\Temp\c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe
"C:\Users\Admin\AppData\Local\Temp\c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 584
  2⤵
  - Program crash
  PID:4232
- C:\hH05800EhAoJ05800\hH05800EhAoJ05800.exe
  "\hH05800EhAoJ05800\hH05800EhAoJ05800.exe" "C:\Users\Admin\AppData\Local\Temp\c400326e8ec59bb46619bd63650725bb84dbeaf239ab87e7500f7c607805e975.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4260
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 704
    3⤵
    - Program crash
    PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4904 -ip 4904
1⤵
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4260 -ip 4260
1⤵
PID:4572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\hH05800EhAoJ05800\hH05800EhAoJ05800.exe

Filesize
365KB

MD5
1be15ce8ed4a6279897f6822eb8b4a46

SHA1
8d0a240f4a3d2ea63aa34b8e766c2e660c2991b0

SHA256
f3fc52262108e5c4a185114306442f54c3a4e97e0e9f699239b4f010a449a21a

SHA512
6db5dac02ecd9a6b295f3e8a58d90e81b38f575a67f9441a46e5ea9047fb3328480465ee0fbbe3da3de5a111957a9bb9f3b935cfe223c10f4c7dd95272e37e87

Download Submit
C:\hH05800EhAoJ05800\hH05800EhAoJ05800.exe

Filesize
365KB

MD5
1be15ce8ed4a6279897f6822eb8b4a46

SHA1
8d0a240f4a3d2ea63aa34b8e766c2e660c2991b0

SHA256
f3fc52262108e5c4a185114306442f54c3a4e97e0e9f699239b4f010a449a21a

SHA512
6db5dac02ecd9a6b295f3e8a58d90e81b38f575a67f9441a46e5ea9047fb3328480465ee0fbbe3da3de5a111957a9bb9f3b935cfe223c10f4c7dd95272e37e87

Download Submit
memory/4260-137-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4260-139-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4904-132-0x00000000020E0000-0x00000000020E3000-memory.dmp

Filesize
12KB

Download
memory/4904-133-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4904-138-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download