477514c4c2da9cf910cfef84d670d364149b7e54f97a2d78800d75516ebf50cb

Analysis

max time kernel
91s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 20:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

477514c4c2da9cf910cfef84d670d364149b7e54f97a2d78800d75516ebf50cb.exe
Size

1.7MB
MD5

db7f971c66f899d2a15497dd63b69021
SHA1

73e8ce1548b45c71c572dd0512b2ef7d91558450
SHA256

477514c4c2da9cf910cfef84d670d364149b7e54f97a2d78800d75516ebf50cb
SHA512

66c40c7d4646a6f6dca1d7b80ef37af9fab4ffa112b4c8466d84aa88a304a926c108bbbf10ecd5b69f60e1c332cb5152a5ad04138cf1c05991659ac0e99bc19a
SSDEEP

49152:nlhWyy1cqdXGoIR6ufkedJsy/tzWqS/PVQm3dkX6:lhWyyWmFedKydWX/PVQYdI6

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1376-1488-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1376-1491-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1376-1490-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1376-1493-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1376-1495-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1376-1499-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1376-1497-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1376-1507-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1376-1509-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1376-1513-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1376-1519-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1376-1521-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1376-1517-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1376-1515-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1376-1525-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1376-1523-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1376-1533-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1376-1531-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1376-1529-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1376-1527-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1376-1511-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1376-1505-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1376-1535-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1376-1503-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1376-1501-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1376-1492-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1376-1537-0x0000000010000000-0x000000001003D000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

pid	Process
1376	477514c4c2da9cf910cfef84d670d364149b7e54f97a2d78800d75516ebf50cb.exe
1376	477514c4c2da9cf910cfef84d670d364149b7e54f97a2d78800d75516ebf50cb.exe
1376	477514c4c2da9cf910cfef84d670d364149b7e54f97a2d78800d75516ebf50cb.exe
1376	477514c4c2da9cf910cfef84d670d364149b7e54f97a2d78800d75516ebf50cb.exe
1376	477514c4c2da9cf910cfef84d670d364149b7e54f97a2d78800d75516ebf50cb.exe
1376	477514c4c2da9cf910cfef84d670d364149b7e54f97a2d78800d75516ebf50cb.exe
1376	477514c4c2da9cf910cfef84d670d364149b7e54f97a2d78800d75516ebf50cb.exe
1376	477514c4c2da9cf910cfef84d670d364149b7e54f97a2d78800d75516ebf50cb.exe
1376	477514c4c2da9cf910cfef84d670d364149b7e54f97a2d78800d75516ebf50cb.exe
1376	477514c4c2da9cf910cfef84d670d364149b7e54f97a2d78800d75516ebf50cb.exe
1376	477514c4c2da9cf910cfef84d670d364149b7e54f97a2d78800d75516ebf50cb.exe
1376	477514c4c2da9cf910cfef84d670d364149b7e54f97a2d78800d75516ebf50cb.exe
1376	477514c4c2da9cf910cfef84d670d364149b7e54f97a2d78800d75516ebf50cb.exe
1376	477514c4c2da9cf910cfef84d670d364149b7e54f97a2d78800d75516ebf50cb.exe
1376	477514c4c2da9cf910cfef84d670d364149b7e54f97a2d78800d75516ebf50cb.exe
1376	477514c4c2da9cf910cfef84d670d364149b7e54f97a2d78800d75516ebf50cb.exe
1376	477514c4c2da9cf910cfef84d670d364149b7e54f97a2d78800d75516ebf50cb.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4932	1376	WerFault.exe	81
2744	1376	WerFault.exe	81

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	477514c4c2da9cf910cfef84d670d364149b7e54f97a2d78800d75516ebf50cb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	477514c4c2da9cf910cfef84d670d364149b7e54f97a2d78800d75516ebf50cb.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1376	477514c4c2da9cf910cfef84d670d364149b7e54f97a2d78800d75516ebf50cb.exe
1376	477514c4c2da9cf910cfef84d670d364149b7e54f97a2d78800d75516ebf50cb.exe
1376	477514c4c2da9cf910cfef84d670d364149b7e54f97a2d78800d75516ebf50cb.exe
1376	477514c4c2da9cf910cfef84d670d364149b7e54f97a2d78800d75516ebf50cb.exe

C:\Users\Admin\AppData\Local\Temp\477514c4c2da9cf910cfef84d670d364149b7e54f97a2d78800d75516ebf50cb.exe
"C:\Users\Admin\AppData\Local\Temp\477514c4c2da9cf910cfef84d670d364149b7e54f97a2d78800d75516ebf50cb.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1376
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 1044
  2⤵
  - Program crash
  PID:4932
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 1064
  2⤵
  - Program crash
  PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1376 -ip 1376
1⤵
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1376 -ip 1376
1⤵
PID:2936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1376-132-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/1376-133-0x0000000077400000-0x00000000775A3000-memory.dmp

Filesize
1.6MB

Download
memory/1376-134-0x00000000769A0000-0x0000000076BB5000-memory.dmp

Filesize
2.1MB

Download
memory/1376-136-0x0000000077100000-0x00000000772A0000-memory.dmp

Filesize
1.6MB

Download
memory/1376-137-0x0000000076C40000-0x0000000076CBA000-memory.dmp

Filesize
488KB

Download
memory/1376-1481-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/1376-1482-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/1376-1483-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/1376-1484-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/1376-1486-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/1376-1487-0x00000000026A0000-0x00000000027A0000-memory.dmp

Filesize
1024KB

Download
memory/1376-1488-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1376-1491-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1376-1490-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1376-1493-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1376-1495-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1376-1499-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1376-1497-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1376-1507-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1376-1509-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1376-1513-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1376-1519-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1376-1521-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1376-1517-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1376-1515-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1376-1525-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1376-1523-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1376-1533-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1376-1531-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1376-1529-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1376-1527-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1376-1511-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1376-1505-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1376-1535-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1376-1534-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/1376-1503-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1376-1501-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1376-1492-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1376-1536-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/1376-1537-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download