4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2023 16:49

Target

4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7.exe
Size

590KB
MD5

9a46443adb0790a183a57bbbb4364319
SHA1

7b0fec8e74a85227590b8db215bda895c7df081e
SHA256

4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7
SHA512

c6ff22639f8c5b43c3798f14c22b32da1441829434b18a4f7755c14ec35c3a186a89314e94dfac6ed714abc8221673bf2614c74c7949e93006e13ac92291debd
SSDEEP

6144:e8LxBDQx8ayrbor7Bh/YbFE+jawvkqEMtTXw/4fBvBcY6pZB6liIvMXhi7LlnbDE:qxPgUr7B2hiZqXjcY6gvMXhE5bZw1Hh

Score

7^/10

Executes dropped EXE 1 IoCs

Processes:

kqwfsmdy.exe

pid process

4488 kqwfsmdy.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2348 4488 WerFault.exe kqwfsmdy.exe

pid	process
4488	kqwfsmdy.exe

pid	pid_target	process	target process
2348	4488	WerFault.exe	kqwfsmdy.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7.exekqwfsmdy.exe

description	pid	process	target process
PID 2000 wrote to memory of 4488	2000	4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7.exe	kqwfsmdy.exe
PID 2000 wrote to memory of 4488	2000	4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7.exe	kqwfsmdy.exe
PID 2000 wrote to memory of 4488	2000	4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7.exe	kqwfsmdy.exe
PID 4488 wrote to memory of 592	4488	kqwfsmdy.exe	kqwfsmdy.exe
PID 4488 wrote to memory of 592	4488	kqwfsmdy.exe	kqwfsmdy.exe
PID 4488 wrote to memory of 592	4488	kqwfsmdy.exe	kqwfsmdy.exe

C:\Users\Admin\AppData\Local\Temp\4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7.exe
"C:\Users\Admin\AppData\Local\Temp\4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Users\Admin\AppData\Local\Temp\kqwfsmdy.exe
"C:\Users\Admin\AppData\Local\Temp\kqwfsmdy.exe"
3⤵
PID:592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 564
3⤵
- Program crash
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4488 -ip 4488
1⤵
PID:976

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\kqwfsmdy.exe

Filesize
174KB

MD5
2c5cdbdd5085c791f3b81e08c79de059

SHA1
73ff7c5c15bac1311fb9f471af1c875cda9b237f

SHA256
ac6175b0a244705e107944c4838c2344be1c7f91ba6777d667a9df487014d90b

SHA512
a3905e334d9d0b47e5ee399abf3b1c2211a68fb6971ec6144b1fec8bc0542c23289d2a390fe1f192d585dd5fdd43573eb45820d0ef5a50621d224f9d679ec650

Download Submit
C:\Users\Admin\AppData\Local\Temp\kqwfsmdy.exe

Filesize
174KB

MD5
2c5cdbdd5085c791f3b81e08c79de059

SHA1
73ff7c5c15bac1311fb9f471af1c875cda9b237f

SHA256
ac6175b0a244705e107944c4838c2344be1c7f91ba6777d667a9df487014d90b

SHA512
a3905e334d9d0b47e5ee399abf3b1c2211a68fb6971ec6144b1fec8bc0542c23289d2a390fe1f192d585dd5fdd43573eb45820d0ef5a50621d224f9d679ec650

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymatuopkk.hii

Filesize
333KB

MD5
2e445696a8ae2ff850c0fdbe917937cb

SHA1
ce4e54cb29fd04a20efb19b5607d6aa3b2a81a9b

SHA256
10773af14402f5ec0c538bb6816afac711b2be71b356cb66ea625113261dd88b

SHA512
a4142c10b0854506fee49533198b9a7a5a90bc52e26acc3d5c3cb16d848397d53097c9cc1b415a05a4269248daf571473f1566eab92c6f41a85ad48e4b6f9dc7

Download Submit
memory/4488-5-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download