a9504ae35036fef71cf35b5b958c948d1c0ef365772ebc960d04e92e8ad96737

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2023 01:36

Target

a9504ae35036fef71cf35b5b958c948d1c0ef365772ebc960d04e92e8ad96737.exe
Size

432KB
MD5

15d40168b52a1cf5882ab9fc782a79ac
SHA1

ef61e46d0fcf5b1fed7a299ae4fedb042d8f9615
SHA256

a9504ae35036fef71cf35b5b958c948d1c0ef365772ebc960d04e92e8ad96737
SHA512

3c05836601e8ec8c82b98e572f535881ca55512eb68f4e06f68396d8934f81207f2dc3c0e6db2d21efaffbad14a2aed813d0fff7eded4f6cebe2fec68d9a8873
SSDEEP

6144:t8LxB6OIh2rW/DFdDD8UGsexWaens8AJkNrHqHNnNVNDSb4O4II4qJma:JOc2CBd/DYxWap/JkUJxO4v4Yma

Score

7^/10

Executes dropped EXE 1 IoCs

Processes:

zyrhjxa.exe

pid process

2436 zyrhjxa.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3592 2436 WerFault.exe zyrhjxa.exe

pid	process
2436	zyrhjxa.exe

pid	pid_target	process	target process
3592	2436	WerFault.exe	zyrhjxa.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

a9504ae35036fef71cf35b5b958c948d1c0ef365772ebc960d04e92e8ad96737.exezyrhjxa.exe

description	pid	process	target process
PID 3228 wrote to memory of 2436	3228	a9504ae35036fef71cf35b5b958c948d1c0ef365772ebc960d04e92e8ad96737.exe	zyrhjxa.exe
PID 3228 wrote to memory of 2436	3228	a9504ae35036fef71cf35b5b958c948d1c0ef365772ebc960d04e92e8ad96737.exe	zyrhjxa.exe
PID 3228 wrote to memory of 2436	3228	a9504ae35036fef71cf35b5b958c948d1c0ef365772ebc960d04e92e8ad96737.exe	zyrhjxa.exe
PID 2436 wrote to memory of 2704	2436	zyrhjxa.exe	zyrhjxa.exe
PID 2436 wrote to memory of 2704	2436	zyrhjxa.exe	zyrhjxa.exe
PID 2436 wrote to memory of 2704	2436	zyrhjxa.exe	zyrhjxa.exe

C:\Users\Admin\AppData\Local\Temp\a9504ae35036fef71cf35b5b958c948d1c0ef365772ebc960d04e92e8ad96737.exe
"C:\Users\Admin\AppData\Local\Temp\a9504ae35036fef71cf35b5b958c948d1c0ef365772ebc960d04e92e8ad96737.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3228

C:\Users\Admin\AppData\Local\Temp\zyrhjxa.exe
"C:\Users\Admin\AppData\Local\Temp\zyrhjxa.exe"
3⤵
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 520
3⤵
- Program crash
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2436 -ip 2436
1⤵
PID:3924

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\qamsmzbqeo.mfy

Filesize
333KB

MD5
34814aa0e780d3d5bef594ffb2cee17d

SHA1
dbe1e613d0de4674bbf80378afd3710b6b159545

SHA256
80f5669ff15457a1384bd3b2f56702e96d36463422bfcb86f35bb718fa44eda4

SHA512
f2157c83f868beb7ba1320debdf3ef2144700038883eef2ed4c68a8900ceeb48eb3332ea17e85c4ea943ee55ceda5aed2f9c0f01b5e7c7c0f8d2546bc432aa05

Download Submit
C:\Users\Admin\AppData\Local\Temp\zyrhjxa.exe

Filesize
174KB

MD5
cea16b31436e1bc19bca99faae869e35

SHA1
15b27f85b3dd5567f7825d1aee6d838d3b5f69c5

SHA256
21653b060487283e11cba12d6d2a2d417c40e74c02a367a52647a94146636764

SHA512
301f07e5ca7949e138212e4f4da0b8c48e7a91f2c8f1619927b259bf31298205eae3127d92e03f80ac5e939c512fb17b3f3b3d3b5b61bacef50f21d6d5f9271f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zyrhjxa.exe

Filesize
174KB

MD5
cea16b31436e1bc19bca99faae869e35

SHA1
15b27f85b3dd5567f7825d1aee6d838d3b5f69c5

SHA256
21653b060487283e11cba12d6d2a2d417c40e74c02a367a52647a94146636764

SHA512
301f07e5ca7949e138212e4f4da0b8c48e7a91f2c8f1619927b259bf31298205eae3127d92e03f80ac5e939c512fb17b3f3b3d3b5b61bacef50f21d6d5f9271f

Download Submit
memory/2436-5-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download