Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
18/11/2022, 18:57
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
380KB
-
MD5
e91e8a603108c29db5d1a1ba1c8123fd
-
SHA1
e609bf5881c00aa4c325a2250407d0d8b254e04c
-
SHA256
d026b0f1bfa1ea1bc142695477450d6bd4c10e6d7cdbff1d4e8abaad8f04b6c1
-
SHA512
2d0c23f0a9cc784820291595816ec49a9f12d3b4bdd5cc569f56810d1766fb73b9a1a8ece293210678d03ebe8d3413bb9ebc7ae9eb757588345bebcd4e8abff7
-
SSDEEP
6144:x/QiQXCWkm+ksmpk3U9j0IV/OGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7LT:pQi3WP6m6UR0IV/lL//plmW9bTXeVhD4
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 4520 file.tmp 1112 PowerOff.exe -
Loads dropped DLL 1 IoCs
pid Process 4520 file.tmp -
Program crash 1 IoCs
pid pid_target Process procid_target 736 1112 WerFault.exe 84 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1112 PowerOff.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 5008 wrote to memory of 4520 5008 file.exe 83 PID 5008 wrote to memory of 4520 5008 file.exe 83 PID 5008 wrote to memory of 4520 5008 file.exe 83 PID 4520 wrote to memory of 1112 4520 file.tmp 84 PID 4520 wrote to memory of 1112 4520 file.tmp 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\is-5K4C8.tmp\file.tmp"C:\Users\Admin\AppData\Local\Temp\is-5K4C8.tmp\file.tmp" /SL5="$70116,140559,56832,C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Users\Admin\AppData\Local\Temp\is-E3SUE.tmp\PowerOff.exe"C:\Users\Admin\AppData\Local\Temp\is-E3SUE.tmp\PowerOff.exe" /S /UID=953⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1112 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1112 -s 14804⤵
- Program crash
PID:736
-
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 416 -p 1112 -ip 11121⤵PID:2680
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
694KB
MD5ffcf263a020aa7794015af0edee5df0b
SHA1bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA2561d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA51249f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a
-
Filesize
576KB
MD5cfa7c46797e6d113d41adbd97fe38755
SHA196b1836c44b6aae601c05d547ebf4a79e6361e4b
SHA256ccac7fb768ac6e7f1868de19d0f61454e355b319d332089382f256968dddeb5b
SHA5128f748abb6124c7d2924507aba6239a383d7c170ee5fb1b0fe322c2f6d75f0fb959bab7a94ba99643cfda9bed8402fc3362881232a485d75e0ebee6cee758a6ad
-
Filesize
576KB
MD5cfa7c46797e6d113d41adbd97fe38755
SHA196b1836c44b6aae601c05d547ebf4a79e6361e4b
SHA256ccac7fb768ac6e7f1868de19d0f61454e355b319d332089382f256968dddeb5b
SHA5128f748abb6124c7d2924507aba6239a383d7c170ee5fb1b0fe322c2f6d75f0fb959bab7a94ba99643cfda9bed8402fc3362881232a485d75e0ebee6cee758a6ad
-
Filesize
216KB
MD58f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35