8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24

Analysis

max time kernel
112s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2022 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24.exe
Size

1.3MB
MD5

9c648c3efce5d25e2730b34991def1eb
SHA1

5afb446b509460c76d1c95327ec54609a5c0527b
SHA256

8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24
SHA512

10e9f901606a633fd7b2a0691eb916a700997029e95efed19425e853d71626ffb43e925099c136ad22146fedbb92b354af336ed8e935be742e32c5cfc66cd0b3
SSDEEP

12288:50SkPW3ydDuYyYeHRc4Cwu2gkcRpkAI+XuUEvHNot5H3mWjc:KLu3yRuYLMc4CwJUKgMvHu5dj

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
536	vstart.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_vstart.exe	vstart.exe
File opened for modification	C:\Windows\SysWOW64\_vstart.exe	vstart.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 536 set thread context of 4652	536	vstart.exe	82

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\vstart.exe	8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\vstart.exe	8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat	8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1348	4652	WerFault.exe	82

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 536	4932	8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24.exe	81
PID 4932 wrote to memory of 536	4932	8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24.exe	81
PID 4932 wrote to memory of 536	4932	8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24.exe	81
PID 536 wrote to memory of 4652	536	vstart.exe	82
PID 536 wrote to memory of 4652	536	vstart.exe	82
PID 536 wrote to memory of 4652	536	vstart.exe	82
PID 536 wrote to memory of 4652	536	vstart.exe	82
PID 536 wrote to memory of 4652	536	vstart.exe	82
PID 536 wrote to memory of 2724	536	vstart.exe	83
PID 536 wrote to memory of 2724	536	vstart.exe	83
PID 4932 wrote to memory of 3268	4932	8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24.exe	85
PID 4932 wrote to memory of 3268	4932	8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24.exe	85
PID 4932 wrote to memory of 3268	4932	8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24.exe	85

C:\Users\Admin\AppData\Local\Temp\8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24.exe
"C:\Users\Admin\AppData\Local\Temp\8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\vstart.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\vstart.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\system32\calc.exe"
    3⤵
    PID:4652
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 12
      4⤵
      Program crash
      PID:1348
- - C:\program files\internet explorer\IEXPLORE.EXE
    "C:\program files\internet explorer\IEXPLORE.EXE"
    3⤵
    PID:2724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat""
  2⤵
  PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4652 -ip 4652
1⤵
PID:1152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat

Filesize
248B

MD5
beec7a7f4e730b29b65580fce03b039d

SHA1
09ed962d58dfd1fe49611b910c4af402679ca978

SHA256
f50a232dd08e3b08f43258a0c78da13df101ec7a526b72d42cd2e9ad4d08f124

SHA512
8e86f10df29bef74fef80d0b98deefa87c71f13e606d0da09eb9a6686a46fb2e24e35f9a2e7c9630c3547f0ec0a8e094a75a2a2bf7b5a87a0553dd8066967942

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSINFO\vstart.exe

Filesize
1.3MB

MD5
9c648c3efce5d25e2730b34991def1eb

SHA1
5afb446b509460c76d1c95327ec54609a5c0527b

SHA256
8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24

SHA512
10e9f901606a633fd7b2a0691eb916a700997029e95efed19425e853d71626ffb43e925099c136ad22146fedbb92b354af336ed8e935be742e32c5cfc66cd0b3

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\vstart.exe

Filesize
1.3MB

MD5
9c648c3efce5d25e2730b34991def1eb

SHA1
5afb446b509460c76d1c95327ec54609a5c0527b

SHA256
8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24

SHA512
10e9f901606a633fd7b2a0691eb916a700997029e95efed19425e853d71626ffb43e925099c136ad22146fedbb92b354af336ed8e935be742e32c5cfc66cd0b3

Download Submit
memory/536-138-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/4652-137-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/4932-132-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/4932-140-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download