f4680a7804fdc91402f3e5e30debdce3bc8ba64ed8e695129483b9ef2e9cef65

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 02:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f4680a7804fdc91402f3e5e30debdce3bc8ba64ed8e695129483b9ef2e9cef65.exe
Size

7.7MB
MD5

b095bebcdad8958e1f5bad231639ed69
SHA1

6813f180d7242b04fdbcffb971d0c4a710647275
SHA256

f4680a7804fdc91402f3e5e30debdce3bc8ba64ed8e695129483b9ef2e9cef65
SHA512

299e550b59c06d8b8619d0afe00dc8761c0e998cf525791eb793a4e2a2f7204b9a6d8471f6174fdcb7bb487074cc04a741ffbc05976ea1eefa9a873c81c1d495
SSDEEP

196608:FyLcu1XKI+9BCWDCT9sllWvsIphqkB4309n5pkYb:oQD5Il9xpm30pk6

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
964	f4680a7804fdc91402f3e5e30debdce3bc8ba64ed8e695129483b9ef2e9cef65.exe
964	f4680a7804fdc91402f3e5e30debdce3bc8ba64ed8e695129483b9ef2e9cef65.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dlqmain.dll	f4680a7804fdc91402f3e5e30debdce3bc8ba64ed8e695129483b9ef2e9cef65.exe
File opened for modification	C:\Windows\SysWOW64\dlqmain.dll	f4680a7804fdc91402f3e5e30debdce3bc8ba64ed8e695129483b9ef2e9cef65.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
964	f4680a7804fdc91402f3e5e30debdce3bc8ba64ed8e695129483b9ef2e9cef65.exe
964	f4680a7804fdc91402f3e5e30debdce3bc8ba64ed8e695129483b9ef2e9cef65.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
208	964	WerFault.exe	81
1708	964	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
964	f4680a7804fdc91402f3e5e30debdce3bc8ba64ed8e695129483b9ef2e9cef65.exe
964	f4680a7804fdc91402f3e5e30debdce3bc8ba64ed8e695129483b9ef2e9cef65.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	964	f4680a7804fdc91402f3e5e30debdce3bc8ba64ed8e695129483b9ef2e9cef65.exe

C:\Users\Admin\AppData\Local\Temp\f4680a7804fdc91402f3e5e30debdce3bc8ba64ed8e695129483b9ef2e9cef65.exe
"C:\Users\Admin\AppData\Local\Temp\f4680a7804fdc91402f3e5e30debdce3bc8ba64ed8e695129483b9ef2e9cef65.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:964
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 776
  2⤵
  - Program crash
  PID:208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 776
  2⤵
  - Program crash
  PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 964 -ip 964
1⤵
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 964 -ip 964
1⤵
PID:3288

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\dlqmain.dll

Filesize
5.9MB

MD5
fcd3d21d2f53de4d764ce9aae4f9c041

SHA1
dff8b462ea38feabeb4e2167d95e8a97942b43c9

SHA256
48d2cbf323a21f2f2b05ecca3dbf357d076af5ba69fce3255b42efd739dee1af

SHA512
9bad4a448dc4db6a4572f9538932d52e939265d279eb0a3ce31fc479e5d9c9677aa49ab689c1947b8f42133d2ee809f2ca20d9595eca7f73d70e5f05883884ee

Download Submit
C:\Windows\SysWOW64\dlqmain.dll

Filesize
5.9MB

MD5
fcd3d21d2f53de4d764ce9aae4f9c041

SHA1
dff8b462ea38feabeb4e2167d95e8a97942b43c9

SHA256
48d2cbf323a21f2f2b05ecca3dbf357d076af5ba69fce3255b42efd739dee1af

SHA512
9bad4a448dc4db6a4572f9538932d52e939265d279eb0a3ce31fc479e5d9c9677aa49ab689c1947b8f42133d2ee809f2ca20d9595eca7f73d70e5f05883884ee

Download Submit
memory/964-14-0x00000000037E0000-0x00000000037E1000-memory.dmp

Filesize
4KB

Download
memory/964-15-0x0000000000400000-0x000000000131C000-memory.dmp

Filesize
15.1MB

Download
memory/964-2-0x0000000077A20000-0x0000000077A21000-memory.dmp

Filesize
4KB

Download
memory/964-9-0x0000000003E60000-0x0000000004B30000-memory.dmp

Filesize
12.8MB

Download
memory/964-10-0x0000000003E60000-0x0000000004B30000-memory.dmp

Filesize
12.8MB

Download
memory/964-13-0x00000000761A0000-0x00000000761A1000-memory.dmp

Filesize
4KB

Download
memory/964-1-0x0000000000400000-0x000000000131C000-memory.dmp

Filesize
15.1MB

Download
memory/964-3-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/964-16-0x0000000004B30000-0x0000000004BE9000-memory.dmp

Filesize
740KB

Download
memory/964-17-0x00000000064C0000-0x000000000655B000-memory.dmp

Filesize
620KB

Download
memory/964-18-0x0000000076530000-0x00000000767AE000-memory.dmp

Filesize
2.5MB

Download
memory/964-19-0x0000000003800000-0x0000000003829000-memory.dmp

Filesize
164KB

Download
memory/964-20-0x0000000006560000-0x000000000663B000-memory.dmp

Filesize
876KB

Download
memory/964-21-0x0000000075730000-0x00000000757C4000-memory.dmp

Filesize
592KB

Download
memory/964-22-0x0000000000400000-0x000000000131C000-memory.dmp

Filesize
15.1MB

Download
memory/964-23-0x0000000003E60000-0x0000000004B30000-memory.dmp

Filesize
12.8MB

Download