Analysis
-
max time kernel
119s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
13-10-2023 20:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
FACTRA09876545689000.exe
Resource
win7-20230831-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
FACTRA09876545689000.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
FACTRA09876545689000.exe
-
Size
473KB
-
MD5
1853308b40b353d110ecbd0c0e09b24a
-
SHA1
3b6f5aceb5d114178304588493eed2281718f358
-
SHA256
19f5a1432457383a9f992ee9b9ebf5e719b3709dc630146a083843a582d6996f
-
SHA512
f053ed9f68b5fd55f57e4cccf40271109c89e282fa67dc4a195a0c89b9d79198431ed785fbbb35450775feaa37235a288e3b28dfaa39f64611cb0fd8523c7b89
-
SSDEEP
12288:gkSMfMGuMFex9HNHfMGuMFex6R1SNjRZxF:jSMEGMSGMlNjR
Score
7/10
Malware Config
Signatures
-
Drops startup file 2 IoCs
Processes:
Powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe Powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe Powershell.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2664 2448 WerFault.exe FACTRA09876545689000.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Powershell.exepid process 2080 Powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Powershell.exedescription pid process Token: SeDebugPrivilege 2080 Powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
FACTRA09876545689000.exedescription pid process target process PID 2448 wrote to memory of 2080 2448 FACTRA09876545689000.exe Powershell.exe PID 2448 wrote to memory of 2080 2448 FACTRA09876545689000.exe Powershell.exe PID 2448 wrote to memory of 2080 2448 FACTRA09876545689000.exe Powershell.exe PID 2448 wrote to memory of 2080 2448 FACTRA09876545689000.exe Powershell.exe PID 2448 wrote to memory of 2660 2448 FACTRA09876545689000.exe FACTRA09876545689000.exe PID 2448 wrote to memory of 2660 2448 FACTRA09876545689000.exe FACTRA09876545689000.exe PID 2448 wrote to memory of 2660 2448 FACTRA09876545689000.exe FACTRA09876545689000.exe PID 2448 wrote to memory of 2660 2448 FACTRA09876545689000.exe FACTRA09876545689000.exe PID 2448 wrote to memory of 2664 2448 FACTRA09876545689000.exe WerFault.exe PID 2448 wrote to memory of 2664 2448 FACTRA09876545689000.exe WerFault.exe PID 2448 wrote to memory of 2664 2448 FACTRA09876545689000.exe WerFault.exe PID 2448 wrote to memory of 2664 2448 FACTRA09876545689000.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FACTRA09876545689000.exe"C:\Users\Admin\AppData\Local\Temp\FACTRA09876545689000.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\FACTRA09876545689000.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\FACTRA09876545689000.exe"C:\Users\Admin\AppData\Local\Temp\FACTRA09876545689000.exe"2⤵PID:2660
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 6082⤵
- Program crash
PID:2664