0523f7cfc131c52445b00d8c354b91658bc0b5f970d5c5ffc01b8480a84b9364

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2023 10:15

Target

NEAS.0523f7cfc131c52445b00d8c354b91658bc0b5f970d5c5ffc01b8480a84b9364.exe
Size

330KB
MD5

9defa32ab3c74af8e29aea03a454934e
SHA1

04dac45bb456d502638ac199f8a4bb9285167658
SHA256

0523f7cfc131c52445b00d8c354b91658bc0b5f970d5c5ffc01b8480a84b9364
SHA512

b43c24dcf817b310c94743efd49e803d3c48a24192bed6ab99cfa813af5df20e69ac67f052ba613a185519ef5f0b1e9aaeacf7d77a40d0a32e4aa03747ca282f
SSDEEP

6144:wBlL/Di/CcLN+BiYHbAabwWZKhl/fnT6vWKupX4ZWK2j1Mu9nBE:CZiFN4rbRbtYZnTsW7U22mE

Score

7^/10

Executes dropped EXE 1 IoCs

Processes:

dkudxis.exe

pid process

3200 dkudxis.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

868 3200 WerFault.exe dkudxis.exe

pid	process
3200	dkudxis.exe

pid	pid_target	process	target process
868	3200	WerFault.exe	dkudxis.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

NEAS.0523f7cfc131c52445b00d8c354b91658bc0b5f970d5c5ffc01b8480a84b9364.exedkudxis.exe

description	pid	process	target process
PID 5032 wrote to memory of 3200	5032	NEAS.0523f7cfc131c52445b00d8c354b91658bc0b5f970d5c5ffc01b8480a84b9364.exe	dkudxis.exe
PID 5032 wrote to memory of 3200	5032	NEAS.0523f7cfc131c52445b00d8c354b91658bc0b5f970d5c5ffc01b8480a84b9364.exe	dkudxis.exe
PID 5032 wrote to memory of 3200	5032	NEAS.0523f7cfc131c52445b00d8c354b91658bc0b5f970d5c5ffc01b8480a84b9364.exe	dkudxis.exe
PID 3200 wrote to memory of 1056	3200	dkudxis.exe	dkudxis.exe
PID 3200 wrote to memory of 1056	3200	dkudxis.exe	dkudxis.exe
PID 3200 wrote to memory of 1056	3200	dkudxis.exe	dkudxis.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.0523f7cfc131c52445b00d8c354b91658bc0b5f970d5c5ffc01b8480a84b9364.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.0523f7cfc131c52445b00d8c354b91658bc0b5f970d5c5ffc01b8480a84b9364.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5032

C:\Users\Admin\AppData\Local\Temp\dkudxis.exe
"C:\Users\Admin\AppData\Local\Temp\dkudxis.exe"
3⤵
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 572
3⤵
- Program crash
PID:868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3200 -ip 3200
1⤵
PID:2492

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\dkudxis.exe

Filesize
165KB

MD5
265d03e2362687fa11bd38903296c90a

SHA1
95ec7500a11ff8bf5809bbdd2e86ebafc2ce9765

SHA256
437cd124c76c0f79962fea99694cbd9bed574a2428c6e174ef7391ed52fe277c

SHA512
cf21e66e5f21ad43ad4e2ad5e7cdde8ca7530309afea2d7a5df047ae0bf8d9bf5c4dc8b6de7a9f2d24b9524a5ae2ff16c3af0cb3493942646016a67bc8c91c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkudxis.exe

Filesize
165KB

MD5
265d03e2362687fa11bd38903296c90a

SHA1
95ec7500a11ff8bf5809bbdd2e86ebafc2ce9765

SHA256
437cd124c76c0f79962fea99694cbd9bed574a2428c6e174ef7391ed52fe277c

SHA512
cf21e66e5f21ad43ad4e2ad5e7cdde8ca7530309afea2d7a5df047ae0bf8d9bf5c4dc8b6de7a9f2d24b9524a5ae2ff16c3af0cb3493942646016a67bc8c91c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\izahuopxvuj.ptu

Filesize
262KB

MD5
2df4d71b568e778685d268ca305207bb

SHA1
703aff435d69a6a57801cdb394b5563bb9053eee

SHA256
6d9fa06d84ba86dc703b7f5704112cef0aa877c47b8bf8f51282d5f017f881bc

SHA512
e37a8fd2802334cc45fcb988e9c3a22ebd6cfe15d292f5bff12275abcc1d15648556bf3850a56c8705a8b3c77dddd9a4c6e4688fa71569fdf073d381713564bd

Download Submit
memory/3200-5-0x00000000014F0000-0x00000000014F2000-memory.dmp

Filesize
8KB

Download