83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2023, 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb.exe
Size

2.6MB
MD5

cf452457e489d0456e94f9c143287b24
SHA1

f12b5058ca6ecac5f26fd9646da3b3d2a1c03fd1
SHA256

83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb
SHA512

9c499cdef197e2acac9ae4afc0bb67cd82004387f16ed1913fca70ca3b58a9ce9167c5f9401d881e64a1d603df57706355480b7a4f010729f367fb090959219a
SSDEEP

49152:guo6xKnoY2xMCgsG8KI1rmttJffLCl3kHM1/:q6xKnBZTsGpKrmtffLCl3R1/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2104	WindowsIT.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
4520	83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb.exe
4520	83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb.exe
4520	83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb.exe
2104	WindowsIT.EXE
2104	WindowsIT.EXE
2104	WindowsIT.EXE

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4656	4520	WerFault.exe	83
1736	2104	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4520	83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb.exe
4520	83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb.exe
4520	83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb.exe
4520	83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb.exe
4520	83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb.exe
4520	83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 2104	4520	83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb.exe	92
PID 4520 wrote to memory of 2104	4520	83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb.exe	92
PID 4520 wrote to memory of 2104	4520	83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb.exe	92

C:\Users\Admin\AppData\Local\Temp\83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb.exe
"C:\Users\Admin\AppData\Local\Temp\83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 296
  2⤵
  - Program crash
  PID:4656
- C:\WindowsIT.EXE
  "C:\WindowsIT.EXE " /service
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2104
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 296
    3⤵
    - Program crash
    PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4520 -ip 4520
1⤵
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2104 -ip 2104
1⤵
PID:3768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WindowsIT.EXE

Filesize
2.6MB

MD5
cf452457e489d0456e94f9c143287b24

SHA1
f12b5058ca6ecac5f26fd9646da3b3d2a1c03fd1

SHA256
83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb

SHA512
9c499cdef197e2acac9ae4afc0bb67cd82004387f16ed1913fca70ca3b58a9ce9167c5f9401d881e64a1d603df57706355480b7a4f010729f367fb090959219a

Download Submit
C:\WindowsIT.EXE

Filesize
2.6MB

MD5
cf452457e489d0456e94f9c143287b24

SHA1
f12b5058ca6ecac5f26fd9646da3b3d2a1c03fd1

SHA256
83403012b1bab36649169a465242170c7419e77d1e9759f109eb22392ddd7eeb

SHA512
9c499cdef197e2acac9ae4afc0bb67cd82004387f16ed1913fca70ca3b58a9ce9167c5f9401d881e64a1d603df57706355480b7a4f010729f367fb090959219a

Download Submit
C:\WindowsIbrc_Server.dat

Filesize
218B

MD5
fc7c14b32d338af40e757510429ddae3

SHA1
6fd47e899f103df8c5d6f0d4355a05153606c45e

SHA256
ba01cb9091a73b34e9902948e527c2de420051ab6c2b3afa3c6d30a871f27476

SHA512
9bee0e9868214a492072c48fcde508e1307d7031bf4200e8be2c25ff8ce7ee60238d6806350fe7de3413c214379effcfb65317382427060fb4b13557a669ac2b

Download Submit
memory/2104-9-0x0000000000400000-0x0000000000968000-memory.dmp

Filesize
5.4MB

Download
memory/2104-11-0x00000000026C0000-0x00000000026C8000-memory.dmp

Filesize
32KB

Download
memory/2104-12-0x0000000000400000-0x0000000000968000-memory.dmp

Filesize
5.4MB

Download
memory/4520-0-0x0000000000400000-0x0000000000968000-memory.dmp

Filesize
5.4MB

Download
memory/4520-1-0x0000000000400000-0x0000000000968000-memory.dmp

Filesize
5.4MB

Download
memory/4520-2-0x0000000002720000-0x0000000002728000-memory.dmp

Filesize
32KB

Download
memory/4520-8-0x0000000000400000-0x0000000000968000-memory.dmp

Filesize
5.4MB

Download