8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d

Analysis

max time kernel
157s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe
Size

352KB
MD5

b4de54b35be567dccdb82bdd68ee2e65
SHA1

2bd1c9fa438584b9305cd08f7b81c3b02eb9bfdc
SHA256

8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d
SHA512

8d5a2128d10061572550ca3af95e04af04b3149af64306aa2044c23772651054e010ad9a3b6ffc6103bcde5c934abb00f81f74dc819292be888652f41da1124c
SSDEEP

6144:Ii7FhAd2I4+zdGDSkKstgehkB2bNlHRQp1SKjrU8C:nFmdH4adGDSkl9/87

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

explorer.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1cb07beb.exe explorer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1cb07beb.exe	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1cb07beb = "C:\\Users\\Admin\\AppData\\Roaming\\1cb07beb.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*cb07beb = "C:\\Users\\Admin\\AppData\\Roaming\\1cb07beb.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1cb07be = "C:\\1cb07beb\\1cb07beb.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*cb07be = "C:\\1cb07beb\\1cb07beb.exe"	explorer.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 ip-addr.es
25 ip-addr.es

flow	ioc
23	ip-addr.es
25	ip-addr.es

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
392	4752	WerFault.exe	8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe
4840	4752	WerFault.exe	8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe

pid	process
4752	8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe
4752	8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exeexplorer.exe

pid process

4752 8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe
4776 explorer.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exeexplorer.exe

description	pid	process	target process
PID 4752 wrote to memory of 4776	4752	8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe	explorer.exe
PID 4752 wrote to memory of 4776	4752	8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe	explorer.exe
PID 4752 wrote to memory of 4776	4752	8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe	explorer.exe
PID 4776 wrote to memory of 4540	4776	explorer.exe	svchost.exe
PID 4776 wrote to memory of 4540	4776	explorer.exe	svchost.exe
PID 4776 wrote to memory of 4540	4776	explorer.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe
"C:\Users\Admin\AppData\Local\Temp\8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 612
2⤵
- Program crash
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 620
2⤵
- Program crash
PID:4840

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\syswow64\explorer.exe"
2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4776

C:\Windows\SysWOW64\svchost.exe
-k netsvcs
3⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4752 -ip 4752
1⤵
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4752 -ip 4752
1⤵
PID:3304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4540-136-0x0000000000000000-mapping.dmp

Download
memory/4540-137-0x0000000000880000-0x00000000008A5000-memory.dmp

Filesize
148KB

Download
memory/4540-138-0x0000000000880000-0x00000000008A5000-memory.dmp

Filesize
148KB

Download
memory/4752-132-0x0000000002940000-0x0000000002F8A000-memory.dmp

Filesize
6.3MB

Download
memory/4752-133-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4776-134-0x0000000000000000-mapping.dmp

Download
memory/4776-135-0x0000000000B50000-0x0000000000B75000-memory.dmp

Filesize
148KB

Download