f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7

Analysis

max time kernel
140s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2023, 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7.exe
Size

2.6MB
MD5

3a6e8875064d719770b270e5437ce141
SHA1

57c1c28d42b9f1c7550ded4b0ccfb63913d441e0
SHA256

f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7
SHA512

2a062be471c4554d14ba72a9b3cb900ed8a75c58def48b18c90d6a4db6111edd229b79a54ce405330ee5dd1cb536fec79bd11e4df6a7f5abf5e3651c62fd1837
SSDEEP

49152:JeFaVwL5NVFghgVaEyDythI8HK7noTBHSZLK0BoF3y5i6d:uay9XvMlDkhI84eHSZNBoF3X6d

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4956	WindowsIT.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
2700	f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7.exe
2700	f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7.exe
2700	f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7.exe
4956	WindowsIT.EXE
4956	WindowsIT.EXE
4956	WindowsIT.EXE

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1412	2700	WerFault.exe	81
4512	4956	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2700	f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7.exe
2700	f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7.exe
2700	f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7.exe
2700	f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7.exe
2700	f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7.exe
2700	f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 4956	2700	f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7.exe	89
PID 2700 wrote to memory of 4956	2700	f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7.exe	89
PID 2700 wrote to memory of 4956	2700	f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7.exe	89

C:\Users\Admin\AppData\Local\Temp\f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7.exe
"C:\Users\Admin\AppData\Local\Temp\f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 296
  2⤵
  - Program crash
  PID:1412
- C:\WindowsIT.EXE
  "C:\WindowsIT.EXE " /service
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 296
    3⤵
    - Program crash
    PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2700 -ip 2700
1⤵
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4956 -ip 4956
1⤵
PID:4540

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WindowsIT.EXE

Filesize
2.6MB

MD5
3a6e8875064d719770b270e5437ce141

SHA1
57c1c28d42b9f1c7550ded4b0ccfb63913d441e0

SHA256
f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7

SHA512
2a062be471c4554d14ba72a9b3cb900ed8a75c58def48b18c90d6a4db6111edd229b79a54ce405330ee5dd1cb536fec79bd11e4df6a7f5abf5e3651c62fd1837

Download Submit
C:\WindowsIT.EXE

Filesize
2.6MB

MD5
3a6e8875064d719770b270e5437ce141

SHA1
57c1c28d42b9f1c7550ded4b0ccfb63913d441e0

SHA256
f6f6e803f81be14cffe47666978202661ea26791cad5e68717c9daae583405f7

SHA512
2a062be471c4554d14ba72a9b3cb900ed8a75c58def48b18c90d6a4db6111edd229b79a54ce405330ee5dd1cb536fec79bd11e4df6a7f5abf5e3651c62fd1837

Download Submit
C:\WindowsIbrc_Server.dat

Filesize
218B

MD5
fc7c14b32d338af40e757510429ddae3

SHA1
6fd47e899f103df8c5d6f0d4355a05153606c45e

SHA256
ba01cb9091a73b34e9902948e527c2de420051ab6c2b3afa3c6d30a871f27476

SHA512
9bee0e9868214a492072c48fcde508e1307d7031bf4200e8be2c25ff8ce7ee60238d6806350fe7de3413c214379effcfb65317382427060fb4b13557a669ac2b

Download Submit
memory/2700-0-0x0000000000400000-0x00000000008ED000-memory.dmp

Filesize
4.9MB

Download
memory/2700-1-0x0000000000400000-0x00000000008ED000-memory.dmp

Filesize
4.9MB

Download
memory/2700-2-0x0000000002600000-0x0000000002608000-memory.dmp

Filesize
32KB

Download
memory/2700-8-0x0000000000400000-0x00000000008ED000-memory.dmp

Filesize
4.9MB

Download
memory/4956-9-0x0000000000400000-0x00000000008ED000-memory.dmp

Filesize
4.9MB

Download
memory/4956-10-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/4956-12-0x0000000000400000-0x00000000008ED000-memory.dmp

Filesize
4.9MB

Download