7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54

Analysis

max time kernel
143s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe
Size

1.2MB
MD5

3e59ae6e32212b48b5119d210dbabd0c
SHA1

ad93d375d8047bb2d0eebc1edf408b85b22a9df3
SHA256

7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54
SHA512

7f304776265db0f58c73e138faf7737de30f76a58041e95c1a23efd52eb0e54f2d6dca16016863e667fcad2c13efc3083225e2a39350a8c0279ed1f2141056e8
SSDEEP

3072:HAJ6YCx9QPeD18h7bLFrR3VYoufTbwH/EONHckiw1jNdGAeBycisq9ygf:HAYFu2Dyh7PFrRVYoQzONFXjNLFE4

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

pm.exept.exe

pid process

4860 pm.exe
4560 pt.exe
Loads dropped DLL 1 IoCs

Processes:

pt.exe

pid process

4560 pt.exe

pid	process
4860	pm.exe
4560	pt.exe

pid	process
4560	pt.exe

Drops file in Windows directory 2 IoCs

Processes:

7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe

description	ioc	process
File opened for modification	C:\WINDOWS\system\pm.exe	7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe
File opened for modification	C:\WINDOWS\system\pt.exe	7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1108 4560 WerFault.exe pt.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

pt.exe

pid process

4560 pt.exe
4560 pt.exe
4560 pt.exe
4560 pt.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exepm.exept.exe

pid process

4968 7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe
4860 pm.exe
4560 pt.exe

pid	pid_target	process	target process
1108	4560	WerFault.exe	pt.exe

pid	process
4560	pt.exe
4560	pt.exe
4560	pt.exe
4560	pt.exe

pid	process
4968	7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe
4860	pm.exe
4560	pt.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe

description	pid	process	target process
PID 4968 wrote to memory of 4860	4968	7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe	pm.exe
PID 4968 wrote to memory of 4860	4968	7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe	pm.exe
PID 4968 wrote to memory of 4860	4968	7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe	pm.exe
PID 4968 wrote to memory of 4560	4968	7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe	pt.exe
PID 4968 wrote to memory of 4560	4968	7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe	pt.exe
PID 4968 wrote to memory of 4560	4968	7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe	pt.exe

C:\Users\Admin\AppData\Local\Temp\7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe
"C:\Users\Admin\AppData\Local\Temp\7f62efa03621cd60510ed9fe2c9c5706e66355798215788eb637324f2bdd5d54.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4968

C:\WINDOWS\system\pm.exe
C:\WINDOWS\system\pm.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4860

C:\WINDOWS\system\pt.exe
C:\WINDOWS\system\pt.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 296
3⤵
- Program crash
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4560 -ip 4560
1⤵
PID:684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\elementgj.dll
Filesize
20KB

MD5
991ac0a478c632bad7d5ca623679bd74

SHA1
8aecef6c8605346596b4331fdfa00d433d1fa4fb

SHA256
318dcfffe05989cf4293f2d626cd899045fe8b58a037825dc3e5596ebb61cfe7

SHA512
6ba05b77815e6088099daa5847af4ab5272c8b298e747785ae3f48ed791f0289e4a2a0f33c4ab9035021d3dbce2aee96fb6875a583b1a569c85167e96e25e45a

Download Submit
C:\WINDOWS\system\pm.exe
Filesize
1.1MB

MD5
9d3dcad735b56115f78d1f2a8606f462

SHA1
03108db2fceb8a368ac915bcc95617d10906ac2d

SHA256
a9050a782d352f764f58ca197f24233eb11d6b5d4e951815eb1ec167d107bac9

SHA512
70af1a6b8c613946ee24bfb49db576a46ffce6f15f53114712d7352df1dd08f7ff320627014fd7aa3b1dacc264588bb3ddada638a1a42fd211cd25d3118c385f

Download Submit
C:\WINDOWS\system\pt.exe
Filesize
15KB

MD5
acde03a4eeca28c2bc4d8a3f83e0d596

SHA1
2e784b89c7ad5c18bfb39b4c13cbb5cd152280d0

SHA256
2752b975c6958c8cd2cb353747bf9ff45b7f3a96e0c417bcbab71d656fc56a00

SHA512
f93106043b6c9404848e0ffb08acf29a560214635410e8257accb7795c18634b3a9a56c066cf14f40a85ea469b73ff4a1d307d5cf364bf3a1a0d9ff90f2c9c38

Download Submit
C:\Windows\System\pm.exe
Filesize
1.1MB

MD5
9d3dcad735b56115f78d1f2a8606f462

SHA1
03108db2fceb8a368ac915bcc95617d10906ac2d

SHA256
a9050a782d352f764f58ca197f24233eb11d6b5d4e951815eb1ec167d107bac9

SHA512
70af1a6b8c613946ee24bfb49db576a46ffce6f15f53114712d7352df1dd08f7ff320627014fd7aa3b1dacc264588bb3ddada638a1a42fd211cd25d3118c385f

Download Submit
C:\Windows\System\pt.exe
Filesize
15KB

MD5
acde03a4eeca28c2bc4d8a3f83e0d596

SHA1
2e784b89c7ad5c18bfb39b4c13cbb5cd152280d0

SHA256
2752b975c6958c8cd2cb353747bf9ff45b7f3a96e0c417bcbab71d656fc56a00

SHA512
f93106043b6c9404848e0ffb08acf29a560214635410e8257accb7795c18634b3a9a56c066cf14f40a85ea469b73ff4a1d307d5cf364bf3a1a0d9ff90f2c9c38

Download Submit
memory/4560-139-0x0000000000000000-mapping.dmp

Download
memory/4560-142-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4560-144-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4860-134-0x0000000000000000-mapping.dmp

Download