6ecf7cf74a9eaa98f899c198b4e876a302041b090db057135eefc05c3c8a8607

Analysis

max time kernel
120s
max time network
137s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ecf7cf74a9eaa98f899c198b4e876a302041b090db057135eefc05c3c8a8607.exe
Size

203KB
MD5

5e8ca71cc6b60c4d92eac70f84e14487
SHA1

58988de5f00c4e8454a8dfd0126a58f39e7db8cb
SHA256

6ecf7cf74a9eaa98f899c198b4e876a302041b090db057135eefc05c3c8a8607
SHA512

9d83f3c43397b2cb56b3d7112fdab31f5b1d0d7705485ab141f5dafcb4dd955c150feaa0b2b59619933c0fd456ebb96a04f7e507ccb4fe4c6263b1aec68a44e0
SSDEEP

6144:ISEciALqb7GHGuMz7FeuRAOo6SLuQkmsS:ISEcdLqby2aUms

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2820	a.exe
2752	Googdler.exe

Loads dropped DLL 5 IoCs

pid	Process
1420	6ecf7cf74a9eaa98f899c198b4e876a302041b090db057135eefc05c3c8a8607.exe
1420	6ecf7cf74a9eaa98f899c198b4e876a302041b090db057135eefc05c3c8a8607.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1532	2752	WerFault.exe	30

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2820	a.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2820	a.exe
Token: SeDebugPrivilege	2820	a.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 2820	1420	6ecf7cf74a9eaa98f899c198b4e876a302041b090db057135eefc05c3c8a8607.exe	29
PID 1420 wrote to memory of 2820	1420	6ecf7cf74a9eaa98f899c198b4e876a302041b090db057135eefc05c3c8a8607.exe	29
PID 1420 wrote to memory of 2820	1420	6ecf7cf74a9eaa98f899c198b4e876a302041b090db057135eefc05c3c8a8607.exe	29
PID 1420 wrote to memory of 2820	1420	6ecf7cf74a9eaa98f899c198b4e876a302041b090db057135eefc05c3c8a8607.exe	29
PID 1420 wrote to memory of 2752	1420	6ecf7cf74a9eaa98f899c198b4e876a302041b090db057135eefc05c3c8a8607.exe	30
PID 1420 wrote to memory of 2752	1420	6ecf7cf74a9eaa98f899c198b4e876a302041b090db057135eefc05c3c8a8607.exe	30
PID 1420 wrote to memory of 2752	1420	6ecf7cf74a9eaa98f899c198b4e876a302041b090db057135eefc05c3c8a8607.exe	30
PID 1420 wrote to memory of 2752	1420	6ecf7cf74a9eaa98f899c198b4e876a302041b090db057135eefc05c3c8a8607.exe	30
PID 2752 wrote to memory of 1532	2752	Googdler.exe	31
PID 2752 wrote to memory of 1532	2752	Googdler.exe	31
PID 2752 wrote to memory of 1532	2752	Googdler.exe	31
PID 2752 wrote to memory of 1532	2752	Googdler.exe	31

C:\Users\Admin\AppData\Local\Temp\6ecf7cf74a9eaa98f899c198b4e876a302041b090db057135eefc05c3c8a8607.exe
"C:\Users\Admin\AppData\Local\Temp\6ecf7cf74a9eaa98f899c198b4e876a302041b090db057135eefc05c3c8a8607.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Public\Admin558\a.exe
  "C:\Users\Public\Admin558\a.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Users\Public\Admin558\Googdler.exe
  "C:\Users\Public\Admin558\Googdler.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 116
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Admin558\Googdler.exe

Filesize
84KB

MD5
686f22f397c2322876239d72d500a0cd

SHA1
fcd252fa36d37ee72eb31e0fe353176403fa274b

SHA256
715c7de857cd700dcf510988fe5ae0ef24c8fd0c714da74eaac3e967072c5e3d

SHA512
812e72466ad23c738e99fddda3301e6313d8a23a1ba6dca25d1feec1232d517524c4e9b7f0df03644b6aad04d1560357c9369ec4f1eb72eac5652eb2ef0ef759

Download Submit
C:\Users\Public\Admin558\Googdler.exe

Filesize
84KB

MD5
686f22f397c2322876239d72d500a0cd

SHA1
fcd252fa36d37ee72eb31e0fe353176403fa274b

SHA256
715c7de857cd700dcf510988fe5ae0ef24c8fd0c714da74eaac3e967072c5e3d

SHA512
812e72466ad23c738e99fddda3301e6313d8a23a1ba6dca25d1feec1232d517524c4e9b7f0df03644b6aad04d1560357c9369ec4f1eb72eac5652eb2ef0ef759

Download Submit
C:\Users\Public\Admin558\a.exe

Filesize
126KB

MD5
c52628453cdf55063ad0a4d6527bdec5

SHA1
013fb935ca85e37e94dfff409d1bd6275eb5e3b8

SHA256
d764f6bd49645b0ec3662530405c034d9ef9752455170d5aae2310ae37f6658c

SHA512
f7f4b1a8c36f76d0d6d5aeb13edb3a39cb71404afe41ca75ab655682831c8640217b83db02ef08d992cb3b943fd06b6a26a917d5830377ef3a5ca84c84c87918

Download Submit
C:\Users\Public\Admin558\a.exe

Filesize
126KB

MD5
c52628453cdf55063ad0a4d6527bdec5

SHA1
013fb935ca85e37e94dfff409d1bd6275eb5e3b8

SHA256
d764f6bd49645b0ec3662530405c034d9ef9752455170d5aae2310ae37f6658c

SHA512
f7f4b1a8c36f76d0d6d5aeb13edb3a39cb71404afe41ca75ab655682831c8640217b83db02ef08d992cb3b943fd06b6a26a917d5830377ef3a5ca84c84c87918

Download Submit
\Users\Public\Admin558\Googdler.exe

Filesize
84KB

MD5
686f22f397c2322876239d72d500a0cd

SHA1
fcd252fa36d37ee72eb31e0fe353176403fa274b

SHA256
715c7de857cd700dcf510988fe5ae0ef24c8fd0c714da74eaac3e967072c5e3d

SHA512
812e72466ad23c738e99fddda3301e6313d8a23a1ba6dca25d1feec1232d517524c4e9b7f0df03644b6aad04d1560357c9369ec4f1eb72eac5652eb2ef0ef759

Download Submit
\Users\Public\Admin558\Googdler.exe

Filesize
84KB

MD5
686f22f397c2322876239d72d500a0cd

SHA1
fcd252fa36d37ee72eb31e0fe353176403fa274b

SHA256
715c7de857cd700dcf510988fe5ae0ef24c8fd0c714da74eaac3e967072c5e3d

SHA512
812e72466ad23c738e99fddda3301e6313d8a23a1ba6dca25d1feec1232d517524c4e9b7f0df03644b6aad04d1560357c9369ec4f1eb72eac5652eb2ef0ef759

Download Submit
\Users\Public\Admin558\Googdler.exe

Filesize
84KB

MD5
686f22f397c2322876239d72d500a0cd

SHA1
fcd252fa36d37ee72eb31e0fe353176403fa274b

SHA256
715c7de857cd700dcf510988fe5ae0ef24c8fd0c714da74eaac3e967072c5e3d

SHA512
812e72466ad23c738e99fddda3301e6313d8a23a1ba6dca25d1feec1232d517524c4e9b7f0df03644b6aad04d1560357c9369ec4f1eb72eac5652eb2ef0ef759

Download Submit
\Users\Public\Admin558\Googdler.exe

Filesize
84KB

MD5
686f22f397c2322876239d72d500a0cd

SHA1
fcd252fa36d37ee72eb31e0fe353176403fa274b

SHA256
715c7de857cd700dcf510988fe5ae0ef24c8fd0c714da74eaac3e967072c5e3d

SHA512
812e72466ad23c738e99fddda3301e6313d8a23a1ba6dca25d1feec1232d517524c4e9b7f0df03644b6aad04d1560357c9369ec4f1eb72eac5652eb2ef0ef759

Download Submit
\Users\Public\Admin558\a.exe

Filesize
126KB

MD5
c52628453cdf55063ad0a4d6527bdec5

SHA1
013fb935ca85e37e94dfff409d1bd6275eb5e3b8

SHA256
d764f6bd49645b0ec3662530405c034d9ef9752455170d5aae2310ae37f6658c

SHA512
f7f4b1a8c36f76d0d6d5aeb13edb3a39cb71404afe41ca75ab655682831c8640217b83db02ef08d992cb3b943fd06b6a26a917d5830377ef3a5ca84c84c87918

Download Submit
memory/2752-26-0x00000000005C0000-0x0000000000600000-memory.dmp

Filesize
256KB

Download
memory/2752-30-0x00000000005C0000-0x0000000000600000-memory.dmp

Filesize
256KB

Download