Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2023 16:49
Static task
static1
Behavioral task
behavioral1
Sample
4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7.exe
Resource
win10v2004-20231130-en
General
-
Target
4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7.exe
-
Size
590KB
-
MD5
9a46443adb0790a183a57bbbb4364319
-
SHA1
7b0fec8e74a85227590b8db215bda895c7df081e
-
SHA256
4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7
-
SHA512
c6ff22639f8c5b43c3798f14c22b32da1441829434b18a4f7755c14ec35c3a186a89314e94dfac6ed714abc8221673bf2614c74c7949e93006e13ac92291debd
-
SSDEEP
6144:e8LxBDQx8ayrbor7Bh/YbFE+jawvkqEMtTXw/4fBvBcY6pZB6liIvMXhi7LlnbDE:qxPgUr7B2hiZqXjcY6gvMXhE5bZw1Hh
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
kqwfsmdy.exepid process 4488 kqwfsmdy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2348 4488 WerFault.exe kqwfsmdy.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7.exekqwfsmdy.exedescription pid process target process PID 2000 wrote to memory of 4488 2000 4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7.exe kqwfsmdy.exe PID 2000 wrote to memory of 4488 2000 4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7.exe kqwfsmdy.exe PID 2000 wrote to memory of 4488 2000 4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7.exe kqwfsmdy.exe PID 4488 wrote to memory of 592 4488 kqwfsmdy.exe kqwfsmdy.exe PID 4488 wrote to memory of 592 4488 kqwfsmdy.exe kqwfsmdy.exe PID 4488 wrote to memory of 592 4488 kqwfsmdy.exe kqwfsmdy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7.exe"C:\Users\Admin\AppData\Local\Temp\4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\kqwfsmdy.exe"C:\Users\Admin\AppData\Local\Temp\kqwfsmdy.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Users\Admin\AppData\Local\Temp\kqwfsmdy.exe"C:\Users\Admin\AppData\Local\Temp\kqwfsmdy.exe"3⤵PID:592
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 5643⤵
- Program crash
PID:2348
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4488 -ip 44881⤵PID:976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
174KB
MD52c5cdbdd5085c791f3b81e08c79de059
SHA173ff7c5c15bac1311fb9f471af1c875cda9b237f
SHA256ac6175b0a244705e107944c4838c2344be1c7f91ba6777d667a9df487014d90b
SHA512a3905e334d9d0b47e5ee399abf3b1c2211a68fb6971ec6144b1fec8bc0542c23289d2a390fe1f192d585dd5fdd43573eb45820d0ef5a50621d224f9d679ec650
-
Filesize
174KB
MD52c5cdbdd5085c791f3b81e08c79de059
SHA173ff7c5c15bac1311fb9f471af1c875cda9b237f
SHA256ac6175b0a244705e107944c4838c2344be1c7f91ba6777d667a9df487014d90b
SHA512a3905e334d9d0b47e5ee399abf3b1c2211a68fb6971ec6144b1fec8bc0542c23289d2a390fe1f192d585dd5fdd43573eb45820d0ef5a50621d224f9d679ec650
-
Filesize
333KB
MD52e445696a8ae2ff850c0fdbe917937cb
SHA1ce4e54cb29fd04a20efb19b5607d6aa3b2a81a9b
SHA25610773af14402f5ec0c538bb6816afac711b2be71b356cb66ea625113261dd88b
SHA512a4142c10b0854506fee49533198b9a7a5a90bc52e26acc3d5c3cb16d848397d53097c9cc1b415a05a4269248daf571473f1566eab92c6f41a85ad48e4b6f9dc7