998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea

Analysis

max time kernel
137s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
16/11/2023, 00:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
Size

13.6MB
MD5

6b347a2c6f3c74e67f3aa615c399b4ea
SHA1

565324eec197f948b8b2a5c3eb9cde89e34de00e
SHA256

998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea
SHA512

2a3f78768e3fa55425196d1cc5b2f831da2afbd6419ab582ad0f9ef637c12595ae15f21c7709b6078714378e18b00788aa29209c96b5bd5cae5d4f99e6c761eb
SSDEEP

196608:3QDF3hHLhSVdLn90wdQBlhm0UezQH1YNjoDTDC98CtHOdNNqUPipd7TJP4vRPdrk:3QdhcVRMm0uhDXC9x8iTTJy1drVC9

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4164	3524	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3524 wrote to memory of 4944	3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe	96
PID 3524 wrote to memory of 4944	3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe	96
PID 3524 wrote to memory of 4944	3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe	96
PID 3524 wrote to memory of 1440	3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe	93
PID 3524 wrote to memory of 1440	3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe	93
PID 3524 wrote to memory of 1440	3524	998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe	93

C:\Users\Admin\AppData\Local\Temp\998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe
"C:\Users\Admin\AppData\Local\Temp\998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\*.dll"
  2⤵
  PID:1440
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\*fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exe"
  2⤵
  PID:4944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 2908
  2⤵
  - Program crash
  PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3524 -ip 3524
1⤵
PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8463a734c7f8bc00ad2efaba0e835c2d.ini

Filesize
3KB

MD5
9abb2a50cbd37d90bb6833080ba9b780

SHA1
7e2de8b3b8af72a0e2fb34f17ba793eec3ac9af2

SHA256
e18798b467c8a6497e68cf0d1ef287fb23f7b9d4edeb33b484497c208b1da10f

SHA512
a86a4b176a1df3e2b1114e2b92366daa3965e0103a91dc191f1e4ba6d79ade5a054242b8bf4cef0e11c31fefdda8b4944260bf820e77f205e8004346c7fe0927

Download Submit
C:\Users\Admin\AppData\Local\Temp\8463a734c7f8bc00ad2efaba0e835c2dA.ini

Filesize
1KB

MD5
c2f6cf1e8cd82188ace4598132d41bb9

SHA1
11d3612ee6b7e039699313143332872a36e02f0c

SHA256
a6b8d9c83aedc3d6c725bcb27c143bc0415179a5774c78ed6c2c6e23cdcf47e6

SHA512
637846467cf64196043d885329d4c5b3826a9ca9cbac041e487bd15bb8bd30a3eb69d4f3e1049b8658e6aa44364d9dbb4a9428ec1bf9ae21d5cf1cf1fd5497f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\998fc1e3d4c495c8456a338731c2ca2fc0da2a854144862c24bc8434026939ea.exepack.tmp

Filesize
2KB

MD5
998cb7418913b528af5ad31dd994d963

SHA1
16c4b2feaab03208984f995973c9517531f2183c

SHA256
32c99cd52471224959db80db6068ec26f8e8bf1ae33e5b458163ca1b0116b8a0

SHA512
cc5964f065ae5daddd56559f03bd5c271a185cdb26b9c026b7ef88d54ba86d5f2c37bf75dcbe027250c98006278f9683fbd960a8d540d0d848f3403b92690b9d

Download Submit
memory/3524-0-0x0000000000400000-0x0000000001CBD000-memory.dmp

Filesize
24.7MB

Download
memory/3524-1-0x0000000003A10000-0x0000000003A13000-memory.dmp

Filesize
12KB

Download
memory/3524-2-0x0000000000400000-0x0000000001CBD000-memory.dmp

Filesize
24.7MB

Download
memory/3524-5-0x0000000050000000-0x0000000050109000-memory.dmp

Filesize
1.0MB

Download
memory/3524-317-0x0000000000400000-0x0000000001CBD000-memory.dmp

Filesize
24.7MB

Download
memory/3524-347-0x0000000000400000-0x0000000001CBD000-memory.dmp

Filesize
24.7MB

Download
memory/3524-348-0x0000000003A10000-0x0000000003A13000-memory.dmp

Filesize
12KB

Download
memory/3524-349-0x0000000050000000-0x0000000050109000-memory.dmp

Filesize
1.0MB

Download