Analysis
-
max time kernel
67s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
15-02-2023 15:45
Static task
static1
Behavioral task
behavioral1
Sample
C4Loader.exe
Resource
win7-20220812-en
windows7-x64
21 signatures
150 seconds
Behavioral task
behavioral2
Sample
C4Loader.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
C4Loader.exe
-
Size
1023KB
-
MD5
58085125085deb901f7a9dc84878dc83
-
SHA1
4449658339d5ac9b6548547d4796a91d3e4988fd
-
SHA256
f17169b0899deeded527fc3844abf46b7f14af1643568fcd95c04a69205282b6
-
SHA512
5b05bc767d56f71305b8695dec76a9d14d7d70c703bfa5426ec5e40238a6c54bb570e752ed060aba09064f70792bc936150304ed3e9fcc86ada54cb6c2e8ee2a
-
SSDEEP
3072:sb+Ukz9+SIRWDWTZjBIEIqjs6MsYkkblHz54uAg0FujDQ/Sv3x+F1I02:satETNjKEI4IsZkjAOsiB+F1I/
Score
7/10
Malware Config
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
C4Loader.exedescription pid process target process PID 2440 set thread context of 3580 2440 C4Loader.exe vbc.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1952 2440 WerFault.exe C4Loader.exe 2636 3580 WerFault.exe vbc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
C4Loader.exedescription pid process target process PID 2440 wrote to memory of 3580 2440 C4Loader.exe vbc.exe PID 2440 wrote to memory of 3580 2440 C4Loader.exe vbc.exe PID 2440 wrote to memory of 3580 2440 C4Loader.exe vbc.exe PID 2440 wrote to memory of 3580 2440 C4Loader.exe vbc.exe PID 2440 wrote to memory of 3580 2440 C4Loader.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 163⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 2642⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 2440 -ip 24401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3580 -ip 35801⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2440-139-0x0000000000770000-0x0000000000874000-memory.dmpFilesize
1.0MB
-
memory/2440-140-0x0000000000770000-0x0000000000874000-memory.dmpFilesize
1.0MB
-
memory/3580-132-0x0000000000000000-mapping.dmp
-
memory/3580-133-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB