5951cef80086bfb2ce1cbb16802612e3366525aa94f5ebccf352c3761bcf15d9

Analysis

max time kernel
127s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2023 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5951cef80086bfb2ce1cbb16802612e3366525aa94f5ebccf352c3761bcf15d9_JC.exe
Size

379KB
MD5

81a5c535b46c2a330913597e8f888f25
SHA1

168679807c96c893221252a50d8884760e29ac49
SHA256

5951cef80086bfb2ce1cbb16802612e3366525aa94f5ebccf352c3761bcf15d9
SHA512

84941e2e3252eb256fda307f17956a0c8698b53f10e83bb3473e85063835a8f2028a48c7076be35cc01f4eec49c5cf3477503c486ea404669d390132444cfbd5
SSDEEP

6144:BnPdudwDsOGVkx6NDrYDo82AN2B1LUYuhrCd/uAkDR1FyENc/LRxJW6ah4U73C9S:BnPdwOxxCDvAN2B1KChuAk1jWrJWPpyS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4596	eeuhnbzrv.exe
2004	eeuhnbzrv.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4596 set thread context of 2004	4596	eeuhnbzrv.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2744	2004	WerFault.exe	90

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4596	eeuhnbzrv.exe
4596	eeuhnbzrv.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 4596	4192	5951cef80086bfb2ce1cbb16802612e3366525aa94f5ebccf352c3761bcf15d9_JC.exe	89
PID 4192 wrote to memory of 4596	4192	5951cef80086bfb2ce1cbb16802612e3366525aa94f5ebccf352c3761bcf15d9_JC.exe	89
PID 4192 wrote to memory of 4596	4192	5951cef80086bfb2ce1cbb16802612e3366525aa94f5ebccf352c3761bcf15d9_JC.exe	89
PID 4596 wrote to memory of 2004	4596	eeuhnbzrv.exe	90
PID 4596 wrote to memory of 2004	4596	eeuhnbzrv.exe	90
PID 4596 wrote to memory of 2004	4596	eeuhnbzrv.exe	90
PID 4596 wrote to memory of 2004	4596	eeuhnbzrv.exe	90

C:\Users\Admin\AppData\Local\Temp\5951cef80086bfb2ce1cbb16802612e3366525aa94f5ebccf352c3761bcf15d9_JC.exe
"C:\Users\Admin\AppData\Local\Temp\5951cef80086bfb2ce1cbb16802612e3366525aa94f5ebccf352c3761bcf15d9_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Users\Admin\AppData\Local\Temp\eeuhnbzrv.exe
  "C:\Users\Admin\AppData\Local\Temp\eeuhnbzrv.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Users\Admin\AppData\Local\Temp\eeuhnbzrv.exe
    "C:\Users\Admin\AppData\Local\Temp\eeuhnbzrv.exe"
    3⤵
    - Executes dropped EXE
    PID:2004
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 184
      4⤵
      Program crash
      PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2004 -ip 2004
1⤵
PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dxypckrhq.ts

Filesize
249KB

MD5
9e10dc8f0b5235c5d5f8e9341a81cf02

SHA1
a064af551534fe9b25ce3b063146334fabcfb54f

SHA256
3803da5830f4ca46d256502e018feb36877a25629b5203a20f94511f09acc2a4

SHA512
153029ec40f58baa12fc2d6f1b58d7b2c06d44dcf3e6b34d27b78bc1cc0500ea3c88f8fbe590b692f396d1af86860fc7b42814c71d20f9d17d6d0a2039b3528f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeuhnbzrv.exe

Filesize
194KB

MD5
249fc0616b7d71b8fa6cb6228c706f82

SHA1
10d99aed3d2f47b89b8deca25d9b630efebabc15

SHA256
38e5fd58c7a41df7f5bdd0b4da74ba20a43a48bff92b36f4f1d215fe6c1b8f24

SHA512
eda89083da1e7dd95712205af3c60b7f60d97bba9bcac5c63aa30c1fb8211bb6ff63f6011745e44b7ca1f79e004e8d69593d51906227152cf325410661342178

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeuhnbzrv.exe

Filesize
194KB

MD5
249fc0616b7d71b8fa6cb6228c706f82

SHA1
10d99aed3d2f47b89b8deca25d9b630efebabc15

SHA256
38e5fd58c7a41df7f5bdd0b4da74ba20a43a48bff92b36f4f1d215fe6c1b8f24

SHA512
eda89083da1e7dd95712205af3c60b7f60d97bba9bcac5c63aa30c1fb8211bb6ff63f6011745e44b7ca1f79e004e8d69593d51906227152cf325410661342178

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeuhnbzrv.exe

Filesize
194KB

MD5
249fc0616b7d71b8fa6cb6228c706f82

SHA1
10d99aed3d2f47b89b8deca25d9b630efebabc15

SHA256
38e5fd58c7a41df7f5bdd0b4da74ba20a43a48bff92b36f4f1d215fe6c1b8f24

SHA512
eda89083da1e7dd95712205af3c60b7f60d97bba9bcac5c63aa30c1fb8211bb6ff63f6011745e44b7ca1f79e004e8d69593d51906227152cf325410661342178

Download Submit
memory/2004-7-0x0000000000500000-0x000000000053A000-memory.dmp

Filesize
232KB

Download
memory/4596-5-0x0000000020960000-0x0000000020962000-memory.dmp

Filesize
8KB

Download