205b160c837a04a9180d27645ee032f5477a3ac03cbd081fc8089473d8ddb014

Analysis

max time kernel
44s
max time network
53s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
09/10/2023, 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BigRigsPatch_Nov16.exe
Size

3.4MB
MD5

6f54fd60ae6bfd328efd739bd7aec4cb
SHA1

d5d579bb90f7c85676d27e7c62e0b72a848af169
SHA256

205b160c837a04a9180d27645ee032f5477a3ac03cbd081fc8089473d8ddb014
SHA512

0fc8127d4aaf461de8c1bd2c6d48f186a9bd6adc6c3b16f7cbdebcf40a73654998ce91d3eaca96a54a58e95d4f2265a96ed376ac9d227cb6f1198f9ae5871632
SSDEEP

98304:VQSo8vmrKtxxMTSZnY87FgkibkE+Ws+q7W5o/A:VQmmreMmZjyvT6A

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4544	CarZ.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/368-0-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/368-1-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/368-112-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3564	4544	WerFault.exe	73

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	BigRigsPatch_Nov16.exe
Key created	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	BigRigsPatch_Nov16.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
368	BigRigsPatch_Nov16.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4544	CarZ.exe
4544	CarZ.exe

C:\Users\Admin\AppData\Local\Temp\BigRigsPatch_Nov16.exe
"C:\Users\Admin\AppData\Local\Temp\BigRigsPatch_Nov16.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:368

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3032

C:\Users\Admin\Desktop\race\CarZ.exe
"C:\Users\Admin\Desktop\race\CarZ.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4544
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 744
  2⤵
  - Program crash
  PID:3564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\DATA\Images\Sun\SunGlow1.bmp

Filesize
192KB

MD5
779b48b66bb2a67f94b877e14ac85f51

SHA1
d9912008e111ace4a72b0a7470577dbde43e8b9d

SHA256
71b26ef0c34acd98abcc22b25807e10cea1c2caae8493a86101ed038bcc16b57

SHA512
5aabe65f7ae1754af70ed8682f4cfdad705c2a16654bd1e77c69e0514de48f52b263a57dc0272b50894440262d97fba0df950d00222c8f05ceade7e9570fc55e

Download Submit
C:\Users\Admin\Desktop\DATA\Tracks\004\sun.ini

Filesize
143B

MD5
5d29593b0697a0aa4e591285ad7a5da5

SHA1
8e6f056bd5e99b13ee5663a587ec53f2439f3d1a

SHA256
21f77c4953ef74824a1f0ae63326416f155903891e128c5f8d22c46a7a265b4c

SHA512
a7520e773ad7e64d0177be482720ccd0d12dd0f37835989d86ee30d56a214d3786e8d51f04bbebfbc87c4035850f77d25b7f8f07cc58962a683bdb0b19c11c15

Download Submit
C:\Users\Admin\Desktop\race\CarZ.exe

Filesize
592KB

MD5
818aad5317774ba54f2cb9a088604e97

SHA1
a4f028d696034aced3722022b7480db0210d82fb

SHA256
d490d0993c900397c8a30905bd21195c49150ba34798984e7f4e49796700c1d1

SHA512
1064a39371e1cffd95e86f8fca9f8bb9ce32f6974d1f17e426e837d62f1f42f165434d2fe0d651d09ede00d257d2a37708457fc9f72e56610e0acae364f403ba

Download Submit
C:\Users\Admin\Desktop\race\CarZ.exe

Filesize
592KB

MD5
818aad5317774ba54f2cb9a088604e97

SHA1
a4f028d696034aced3722022b7480db0210d82fb

SHA256
d490d0993c900397c8a30905bd21195c49150ba34798984e7f4e49796700c1d1

SHA512
1064a39371e1cffd95e86f8fca9f8bb9ce32f6974d1f17e426e837d62f1f42f165434d2fe0d651d09ede00d257d2a37708457fc9f72e56610e0acae364f403ba

Download Submit
C:\Users\Admin\Desktop\race\r3dlog.txt

Filesize
798B

MD5
524edecb88f7f9649bc2a2c94efcf81d

SHA1
4fd4e549480b65c6b1a60b4971b9ba8f9a0f8779

SHA256
9f806c3a24bcd7cb8346a887cd3e3d5c7e1bee4c64d88bf712b32911b22bf8d7

SHA512
905f98c0b0298fdc7e3f246caf6d9e9de7d035134931d8e718d988b45d5b60df7a0a39625401b5ff7c83f3e2ccec9e29043f11c4569e6a484751652f559e8025

Download Submit
C:\Users\Admin\Desktop\race\r3dlog.txt

Filesize
1KB

MD5
f585a1495dddca2fbb64dd41c6e5d5d7

SHA1
d181b3d0db2e8ed273ae8829072219b1c57dbd9f

SHA256
b13cdd076826ba65f51ca80aa0025bc69d6a0c64a58e975e1538c96744093934

SHA512
e129960f441fa681ea7f38084fb710cb533611fc66e6885f02ddbd9d8f577a117eb586e3bb58c1c57383c243a0a1a83ab37f7ac0800e7bd49ce2fb9492837b00

Download Submit
C:\Users\Admin\Desktop\race\r3dlog.txt

Filesize
2KB

MD5
2f39bc9f6129f9c2ff3d9d1faa7c48c0

SHA1
5cc4c3866060723b9f658a3bbf9419f547dec96e

SHA256
6bc35289a13b4e17af1f11c48e917bf8f1c8cba44a2285e02965be6526827c6d

SHA512
8f26b6c90aec32766d50cebc3bbf2dc080723ef3c02bd212cde728c6c6e2fb2e59f40dddddd808a958f7b438a4a69feda7fd364af19306731fc42bbe00897e3a

Download Submit
memory/368-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/368-1-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/368-112-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download