8d8ea37c0e7917a6edaec783510583dca72032c8b5cdde2f35dc2a46ca2fb926

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
07/10/2023, 08:38

Target

8d8ea37c0e7917a6edaec783510583dca72032c8b5cdde2f35dc2a46ca2fb926.exe
Size

2.7MB
MD5

41be6f989caa160cb408980c321405c2
SHA1

15d4f5e59d0c1c5b79e5a3a0d8ebb41987b161ad
SHA256

8d8ea37c0e7917a6edaec783510583dca72032c8b5cdde2f35dc2a46ca2fb926
SHA512

e4d20bbc3bd6c9b9fb6adbcc15db57ec46df1078b7f5166a532ab332f1d5d633d685d76caab0abaec37bb75439c1620383f7e748fe08b53742eabce6f37a09ba
SSDEEP

49152:CCF1lBCdLxZZxf5Cq3PCk2GNq0pXx9hjz33H2BrWZYPbuac8txEEj9hb:CaBILxZZdqsXzhjr3lw

Score

4^/10

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\imyfone_down\8d8ea37c0e7917a6edaec783510583dca72032c8b5cdde2f35dc2a46ca2fb926\Log\imyfone_down.log	8d8ea37c0e7917a6edaec783510583dca72032c8b5cdde2f35dc2a46ca2fb926.exe
File created	C:\Program Files (x86)\imyfone_down\8d8ea37c0e7917a6edaec783510583dca72032c8b5cdde2f35dc2a46ca2fb926\language\	8d8ea37c0e7917a6edaec783510583dca72032c8b5cdde2f35dc2a46ca2fb926.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2416	328	WerFault.exe	27

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 328 wrote to memory of 2416	328	8d8ea37c0e7917a6edaec783510583dca72032c8b5cdde2f35dc2a46ca2fb926.exe	28
PID 328 wrote to memory of 2416	328	8d8ea37c0e7917a6edaec783510583dca72032c8b5cdde2f35dc2a46ca2fb926.exe	28
PID 328 wrote to memory of 2416	328	8d8ea37c0e7917a6edaec783510583dca72032c8b5cdde2f35dc2a46ca2fb926.exe	28
PID 328 wrote to memory of 2416	328	8d8ea37c0e7917a6edaec783510583dca72032c8b5cdde2f35dc2a46ca2fb926.exe	28

C:\Users\Admin\AppData\Local\Temp\8d8ea37c0e7917a6edaec783510583dca72032c8b5cdde2f35dc2a46ca2fb926.exe
"C:\Users\Admin\AppData\Local\Temp\8d8ea37c0e7917a6edaec783510583dca72032c8b5cdde2f35dc2a46ca2fb926.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:328
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 328 -s 340
  2⤵
  - Program crash
  PID:2416

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact