Analysis

  • max time kernel
    128s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230831-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-09-2023 00:09

General

  • Target

    UmeMemqbMti9.exe

  • Size

    967KB

  • MD5

    29e932d3d12d1811d99691acb7f228bc

  • SHA1

    4c67dd3dbb393ba68e602ed43223001bb88d94e4

  • SHA256

    54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711

  • SHA512

    39d2e21c86b5fd3bac702837f7c95ffe6a0119f9647998e0496a14a6c1f0f81f65fc331977ea16bc4a041d000d80942aa374538c9f9016e6e59f9eac01cdf98f

  • SSDEEP

    24576:BqDEvCTbMWu7rQYlBQcBiT6rprG8aNrpmD:BTvC/MTQYxsWR7aNo

Score
6/10

Malware Config

Signatures

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 5 IoCs
  • Program crash 5 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\UmeMemqbMti9.exe
    "C:\Users\Admin\AppData\Local\Temp\UmeMemqbMti9.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3704
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\SysWOW64\cmd.exe"
      2⤵
        PID:4776
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 80
          3⤵
          • Program crash
          PID:1784
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\SysWOW64\cmd.exe"
        2⤵
          PID:4540
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 80
            3⤵
            • Program crash
            PID:1660
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\SysWOW64\cmd.exe"
          2⤵
            PID:1592
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 80
              3⤵
              • Program crash
              PID:4716
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\SysWOW64\cmd.exe"
            2⤵
              PID:2752
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 80
                3⤵
                • Program crash
                PID:1240
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\SysWOW64\cmd.exe"
              2⤵
                PID:3440
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 80
                  3⤵
                  • Program crash
                  PID:4680
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4776 -ip 4776
              1⤵
                PID:2536
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4540 -ip 4540
                1⤵
                  PID:2584
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 1592 -ip 1592
                  1⤵
                    PID:3776
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2752 -ip 2752
                    1⤵
                      PID:1016
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3440 -ip 3440
                      1⤵
                        PID:2188

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads