Analysis
-
max time kernel
5s -
max time network
6s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2023 18:45
Static task
static1
Behavioral task
behavioral1
Sample
1ef84b11edcd948a3c02c81f50661c2e.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
1ef84b11edcd948a3c02c81f50661c2e.exe
Resource
win10v2004-20230220-en
General
-
Target
1ef84b11edcd948a3c02c81f50661c2e.exe
-
Size
604KB
-
MD5
1ef84b11edcd948a3c02c81f50661c2e
-
SHA1
a81e639cf8391df668ab2333538bc7e838efef46
-
SHA256
f7a348fc491b26c41a96f3f5498f72bb7e736e9981926831a88b76aae0117c79
-
SHA512
20b9c843d91224ca0fcbe92b2743afe42e41e638d16bd2524317ed46560afcae63d60fa29d35a5273be343ccd4fc5fe27807b60766bb9ceb3ecd55eb2e830acb
-
SSDEEP
6144:+dFD2uPNDHDTb+HdtH9Wd1yxBMf2esCDj2cp4DwK3bnqpnobns+NOYuR6QCwUjyU:+Plj+Hdsy7Mf9sbcps3rHn46QCVjq0XL
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3124 embedded.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2744 460 WerFault.exe 86 -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1500 wrote to memory of 4544 1500 1ef84b11edcd948a3c02c81f50661c2e.exe 84 PID 1500 wrote to memory of 4544 1500 1ef84b11edcd948a3c02c81f50661c2e.exe 84 PID 1500 wrote to memory of 4544 1500 1ef84b11edcd948a3c02c81f50661c2e.exe 84 PID 4544 wrote to memory of 3124 4544 cmd.exe 85 PID 4544 wrote to memory of 3124 4544 cmd.exe 85 PID 4544 wrote to memory of 3124 4544 cmd.exe 85 PID 3124 wrote to memory of 460 3124 embedded.exe 86 PID 3124 wrote to memory of 460 3124 embedded.exe 86 PID 3124 wrote to memory of 460 3124 embedded.exe 86 PID 3124 wrote to memory of 460 3124 embedded.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ef84b11edcd948a3c02c81f50661c2e.exe"C:\Users\Admin\AppData\Local\Temp\1ef84b11edcd948a3c02c81f50661c2e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c embedded.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Users\Admin\AppData\Local\Temp\embedded.exeembedded.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵PID:460
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 4085⤵
- Program crash
PID:2744
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 460 -ip 4601⤵PID:4140
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5140d24af0c2b3a18529df12dfbc5f6de
SHA1e8db5ad2b7ffede3e41b9c3adb24f3232d764931
SHA2564eabb1adc035f035e010c0d0d259c683e18193f509946652ed8aa7c5d92b6a92
SHA512a2ead649f155555ec3e55800494f833d18cea68afe736807ec23b5991242928a0853e451b60894ec8e0abe8c42db341c2237007981f38f0366fd7c6ecafb7415
-
Filesize
66KB
MD5140d24af0c2b3a18529df12dfbc5f6de
SHA1e8db5ad2b7ffede3e41b9c3adb24f3232d764931
SHA2564eabb1adc035f035e010c0d0d259c683e18193f509946652ed8aa7c5d92b6a92
SHA512a2ead649f155555ec3e55800494f833d18cea68afe736807ec23b5991242928a0853e451b60894ec8e0abe8c42db341c2237007981f38f0366fd7c6ecafb7415