Analysis
-
max time kernel
43s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 04:33
Static task
static1
Behavioral task
behavioral1
Sample
7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe
Resource
win10v2004-20220812-en
General
-
Target
7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe
-
Size
1.2MB
-
MD5
3e59ae6e32212b48b5119d210dbabd0c
-
SHA1
ad93d375d8047bb2d0eebc1edf408b85b22a9df3
-
SHA256
7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54
-
SHA512
7f304776265db0f58c73e138faf7737de30f76a58041e95c1a23efd52eb0e54f2d6dca16016863e667fcad2c13efc3083225e2a39350a8c0279ed1f2141056e8
-
SSDEEP
3072:HAJ6YCx9QPeD18h7bLFrR3VYoufTbwH/EONHckiw1jNdGAeBycisq9ygf:HAYFu2Dyh7PFrRVYoQzONFXjNLFE4
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
pm.exept.exepid process 1644 pm.exe 988 pt.exe -
Loads dropped DLL 10 IoCs
Processes:
7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exept.exeWerFault.exepm.exepid process 1676 7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe 1676 7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe 1676 7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe 1676 7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe 988 pt.exe 2036 WerFault.exe 2036 WerFault.exe 2036 WerFault.exe 1644 pm.exe 2036 WerFault.exe -
Drops file in Windows directory 2 IoCs
Processes:
7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exedescription ioc process File opened for modification C:\WINDOWS\system\pm.exe 7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe File opened for modification C:\WINDOWS\system\pt.exe 7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2036 988 WerFault.exe pt.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pt.exepid process 988 pt.exe 988 pt.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exepm.exept.exepid process 1676 7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe 1644 pm.exe 988 pt.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exept.exedescription pid process target process PID 1676 wrote to memory of 1644 1676 7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe pm.exe PID 1676 wrote to memory of 1644 1676 7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe pm.exe PID 1676 wrote to memory of 1644 1676 7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe pm.exe PID 1676 wrote to memory of 1644 1676 7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe pm.exe PID 1676 wrote to memory of 988 1676 7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe pt.exe PID 1676 wrote to memory of 988 1676 7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe pt.exe PID 1676 wrote to memory of 988 1676 7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe pt.exe PID 1676 wrote to memory of 988 1676 7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe pt.exe PID 988 wrote to memory of 2036 988 pt.exe WerFault.exe PID 988 wrote to memory of 2036 988 pt.exe WerFault.exe PID 988 wrote to memory of 2036 988 pt.exe WerFault.exe PID 988 wrote to memory of 2036 988 pt.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe"C:\Users\Admin\AppData\Local\Temp\7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\system\pm.exeC:\WINDOWS\system\pm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\WINDOWS\system\pt.exeC:\WINDOWS\system\pt.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1083⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\elementgj.dllFilesize
20KB
MD5991ac0a478c632bad7d5ca623679bd74
SHA18aecef6c8605346596b4331fdfa00d433d1fa4fb
SHA256318dcfffe05989cf4293f2d626cd899045fe8b58a037825dc3e5596ebb61cfe7
SHA5126ba05b77815e6088099daa5847af4ab5272c8b298e747785ae3f48ed791f0289e4a2a0f33c4ab9035021d3dbce2aee96fb6875a583b1a569c85167e96e25e45a
-
C:\WINDOWS\system\pt.exeFilesize
15KB
MD5acde03a4eeca28c2bc4d8a3f83e0d596
SHA12e784b89c7ad5c18bfb39b4c13cbb5cd152280d0
SHA2562752b975c6958c8cd2cb353747bf9ff45b7f3a96e0c417bcbab71d656fc56a00
SHA512f93106043b6c9404848e0ffb08acf29a560214635410e8257accb7795c18634b3a9a56c066cf14f40a85ea469b73ff4a1d307d5cf364bf3a1a0d9ff90f2c9c38
-
C:\Windows\system\pm.exeFilesize
1.1MB
MD59d3dcad735b56115f78d1f2a8606f462
SHA103108db2fceb8a368ac915bcc95617d10906ac2d
SHA256a9050a782d352f764f58ca197f24233eb11d6b5d4e951815eb1ec167d107bac9
SHA51270af1a6b8c613946ee24bfb49db576a46ffce6f15f53114712d7352df1dd08f7ff320627014fd7aa3b1dacc264588bb3ddada638a1a42fd211cd25d3118c385f
-
C:\Windows\system\pt.exeFilesize
15KB
MD5acde03a4eeca28c2bc4d8a3f83e0d596
SHA12e784b89c7ad5c18bfb39b4c13cbb5cd152280d0
SHA2562752b975c6958c8cd2cb353747bf9ff45b7f3a96e0c417bcbab71d656fc56a00
SHA512f93106043b6c9404848e0ffb08acf29a560214635410e8257accb7795c18634b3a9a56c066cf14f40a85ea469b73ff4a1d307d5cf364bf3a1a0d9ff90f2c9c38
-
\Users\Admin\AppData\Local\Temp\elementgj.dllFilesize
20KB
MD5991ac0a478c632bad7d5ca623679bd74
SHA18aecef6c8605346596b4331fdfa00d433d1fa4fb
SHA256318dcfffe05989cf4293f2d626cd899045fe8b58a037825dc3e5596ebb61cfe7
SHA5126ba05b77815e6088099daa5847af4ab5272c8b298e747785ae3f48ed791f0289e4a2a0f33c4ab9035021d3dbce2aee96fb6875a583b1a569c85167e96e25e45a
-
\Users\Admin\AppData\Local\Temp\elementgj.dllFilesize
20KB
MD5991ac0a478c632bad7d5ca623679bd74
SHA18aecef6c8605346596b4331fdfa00d433d1fa4fb
SHA256318dcfffe05989cf4293f2d626cd899045fe8b58a037825dc3e5596ebb61cfe7
SHA5126ba05b77815e6088099daa5847af4ab5272c8b298e747785ae3f48ed791f0289e4a2a0f33c4ab9035021d3dbce2aee96fb6875a583b1a569c85167e96e25e45a
-
\Users\Admin\AppData\Local\Temp\elementgj.dllFilesize
20KB
MD5991ac0a478c632bad7d5ca623679bd74
SHA18aecef6c8605346596b4331fdfa00d433d1fa4fb
SHA256318dcfffe05989cf4293f2d626cd899045fe8b58a037825dc3e5596ebb61cfe7
SHA5126ba05b77815e6088099daa5847af4ab5272c8b298e747785ae3f48ed791f0289e4a2a0f33c4ab9035021d3dbce2aee96fb6875a583b1a569c85167e96e25e45a
-
\Windows\system\pm.exeFilesize
1.1MB
MD59d3dcad735b56115f78d1f2a8606f462
SHA103108db2fceb8a368ac915bcc95617d10906ac2d
SHA256a9050a782d352f764f58ca197f24233eb11d6b5d4e951815eb1ec167d107bac9
SHA51270af1a6b8c613946ee24bfb49db576a46ffce6f15f53114712d7352df1dd08f7ff320627014fd7aa3b1dacc264588bb3ddada638a1a42fd211cd25d3118c385f
-
\Windows\system\pm.exeFilesize
1.1MB
MD59d3dcad735b56115f78d1f2a8606f462
SHA103108db2fceb8a368ac915bcc95617d10906ac2d
SHA256a9050a782d352f764f58ca197f24233eb11d6b5d4e951815eb1ec167d107bac9
SHA51270af1a6b8c613946ee24bfb49db576a46ffce6f15f53114712d7352df1dd08f7ff320627014fd7aa3b1dacc264588bb3ddada638a1a42fd211cd25d3118c385f
-
\Windows\system\pt.exeFilesize
15KB
MD5acde03a4eeca28c2bc4d8a3f83e0d596
SHA12e784b89c7ad5c18bfb39b4c13cbb5cd152280d0
SHA2562752b975c6958c8cd2cb353747bf9ff45b7f3a96e0c417bcbab71d656fc56a00
SHA512f93106043b6c9404848e0ffb08acf29a560214635410e8257accb7795c18634b3a9a56c066cf14f40a85ea469b73ff4a1d307d5cf364bf3a1a0d9ff90f2c9c38
-
\Windows\system\pt.exeFilesize
15KB
MD5acde03a4eeca28c2bc4d8a3f83e0d596
SHA12e784b89c7ad5c18bfb39b4c13cbb5cd152280d0
SHA2562752b975c6958c8cd2cb353747bf9ff45b7f3a96e0c417bcbab71d656fc56a00
SHA512f93106043b6c9404848e0ffb08acf29a560214635410e8257accb7795c18634b3a9a56c066cf14f40a85ea469b73ff4a1d307d5cf364bf3a1a0d9ff90f2c9c38
-
\Windows\system\pt.exeFilesize
15KB
MD5acde03a4eeca28c2bc4d8a3f83e0d596
SHA12e784b89c7ad5c18bfb39b4c13cbb5cd152280d0
SHA2562752b975c6958c8cd2cb353747bf9ff45b7f3a96e0c417bcbab71d656fc56a00
SHA512f93106043b6c9404848e0ffb08acf29a560214635410e8257accb7795c18634b3a9a56c066cf14f40a85ea469b73ff4a1d307d5cf364bf3a1a0d9ff90f2c9c38
-
\Windows\system\pt.exeFilesize
15KB
MD5acde03a4eeca28c2bc4d8a3f83e0d596
SHA12e784b89c7ad5c18bfb39b4c13cbb5cd152280d0
SHA2562752b975c6958c8cd2cb353747bf9ff45b7f3a96e0c417bcbab71d656fc56a00
SHA512f93106043b6c9404848e0ffb08acf29a560214635410e8257accb7795c18634b3a9a56c066cf14f40a85ea469b73ff4a1d307d5cf364bf3a1a0d9ff90f2c9c38
-
\Windows\system\pt.exeFilesize
15KB
MD5acde03a4eeca28c2bc4d8a3f83e0d596
SHA12e784b89c7ad5c18bfb39b4c13cbb5cd152280d0
SHA2562752b975c6958c8cd2cb353747bf9ff45b7f3a96e0c417bcbab71d656fc56a00
SHA512f93106043b6c9404848e0ffb08acf29a560214635410e8257accb7795c18634b3a9a56c066cf14f40a85ea469b73ff4a1d307d5cf364bf3a1a0d9ff90f2c9c38
-
memory/988-68-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/988-64-0x0000000000000000-mapping.dmp
-
memory/988-78-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1644-58-0x0000000000000000-mapping.dmp
-
memory/1676-67-0x0000000000340000-0x0000000000361000-memory.dmpFilesize
132KB
-
memory/1676-66-0x0000000000340000-0x0000000000361000-memory.dmpFilesize
132KB
-
memory/2036-71-0x0000000000000000-mapping.dmp