0758bae88bcbffe93e6022920e7dac6f76c3d00a6d0948eb46eaf6b4db6324d2

Analysis

max time kernel
143s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2023, 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

decoded.exe
Size

476KB
MD5

0ba33b5dbd3e450986c9627889575e26
SHA1

72e01bab823dea6d24f340481c8fd860ecb94ffd
SHA256

0758bae88bcbffe93e6022920e7dac6f76c3d00a6d0948eb46eaf6b4db6324d2
SHA512

f0159b06a2dc99d260a2bb6c756838956a6a79528a76a8f81f7a4e1f6b11222346d450b373c5f7a71dffa36c25a4d5f40d8cd68ee49b211044c3c92e4d392970
SSDEEP

12288:l0yYjNuWRUFBV0JBnSA/e8MosoxXn9+ECqnub/hlrn:lDquW+50jnSA2Toso19lC+ubhRn

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs

description	pid	Process	procid_target
PID 3240 created 2420	3240	decoded.exe	38
PID 3240 created 3520	3240	decoded.exe	26
PID 3240 created 2420	3240	decoded.exe	38
PID 3240 created 3904	3240	decoded.exe	24
PID 3240 created 2412	3240	decoded.exe	39
PID 3240 created 4612	3240	decoded.exe	10
PID 3240 created 2412	3240	decoded.exe	39
PID 3240 created 4612	3240	decoded.exe	10
PID 3240 created 2608	3240	decoded.exe	32
PID 3240 created 3904	3240	decoded.exe	24
PID 3240 created 4612	3240	decoded.exe	10
PID 3240 created 3808	3240	decoded.exe	3
PID 3240 created 2420	3240	decoded.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1840	3240	WerFault.exe	80

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings	decoded.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3240	decoded.exe
3240	decoded.exe
3240	decoded.exe
3240	decoded.exe
3240	decoded.exe
3240	decoded.exe
3240	decoded.exe
3240	decoded.exe
3240	decoded.exe
3240	decoded.exe
3240	decoded.exe
3240	decoded.exe
3240	decoded.exe
3240	decoded.exe
3240	decoded.exe
3240	decoded.exe
3240	decoded.exe
3240	decoded.exe
3240	decoded.exe
3240	decoded.exe
3240	decoded.exe
3240	decoded.exe
3240	decoded.exe
3240	decoded.exe
3240	decoded.exe
3240	decoded.exe
3240	decoded.exe
3240	decoded.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 3100	3240	decoded.exe	84
PID 3240 wrote to memory of 3100	3240	decoded.exe	84
PID 3240 wrote to memory of 3100	3240	decoded.exe	84

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3808

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4612

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3904

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3520

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2420
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe"
  2⤵
  PID:3100

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2412

C:\Users\Admin\AppData\Local\Temp\decoded.exe
"C:\Users\Admin\AppData\Local\Temp\decoded.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 1292
  2⤵
  - Program crash
  PID:1840

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3240 -ip 3240
1⤵
PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3240-134-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download