228c3940e349070310b7f8bd531a1a594fc0a677fbeaab7709b54f45d0be81fa

Analysis

max time kernel
100s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2023 03:02

Target

228c3940e349070310b7f8bd531a1a594fc0a677fbeaab7709b54f45d0be81fa.exe
Size

408KB
MD5

750362927420a2b4b15b9b3bf0b48d80
SHA1

92ed4dff52d92c931bfc68f9c1da260bc6836c92
SHA256

228c3940e349070310b7f8bd531a1a594fc0a677fbeaab7709b54f45d0be81fa
SHA512

27bb863bfc1c4e78bde41035365af698e91f3bb365c45727de397d777ff369cf60427b9f9ca78ed5b0f3a36c194114f252a52e4ca1d5cde6004b39e6ce6493fa
SSDEEP

6144:P8LxB0ipoXRl6686UvtuY89JWdPo92oo9hejx7qT4UJuROph4Hc2eCm1/rFb:xTBl668jvEJ2Po92hWIB5pZV1/rp

Score

7^/10

Executes dropped EXE 1 IoCs

Processes:

szumauym.exe

pid process

1868 szumauym.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3948 1868 WerFault.exe szumauym.exe

pid	process
1868	szumauym.exe

pid	pid_target	process	target process
3948	1868	WerFault.exe	szumauym.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

228c3940e349070310b7f8bd531a1a594fc0a677fbeaab7709b54f45d0be81fa.exeszumauym.exe

description	pid	process	target process
PID 3364 wrote to memory of 1868	3364	228c3940e349070310b7f8bd531a1a594fc0a677fbeaab7709b54f45d0be81fa.exe	szumauym.exe
PID 3364 wrote to memory of 1868	3364	228c3940e349070310b7f8bd531a1a594fc0a677fbeaab7709b54f45d0be81fa.exe	szumauym.exe
PID 3364 wrote to memory of 1868	3364	228c3940e349070310b7f8bd531a1a594fc0a677fbeaab7709b54f45d0be81fa.exe	szumauym.exe
PID 1868 wrote to memory of 4376	1868	szumauym.exe	szumauym.exe
PID 1868 wrote to memory of 4376	1868	szumauym.exe	szumauym.exe
PID 1868 wrote to memory of 4376	1868	szumauym.exe	szumauym.exe

C:\Users\Admin\AppData\Local\Temp\228c3940e349070310b7f8bd531a1a594fc0a677fbeaab7709b54f45d0be81fa.exe
"C:\Users\Admin\AppData\Local\Temp\228c3940e349070310b7f8bd531a1a594fc0a677fbeaab7709b54f45d0be81fa.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3364

C:\Users\Admin\AppData\Local\Temp\szumauym.exe
"C:\Users\Admin\AppData\Local\Temp\szumauym.exe"
3⤵
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 600
3⤵
- Program crash
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1868 -ip 1868
1⤵
PID:4792

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\fgaix.vdt

Filesize
337KB

MD5
23ba68e0a17bd2c37967ca14746b6d3c

SHA1
3ffa1ecf9c9ea5f01c72b4c2822bb865b03acabd

SHA256
af59dda66e3cc307bf07550282ca68d4b6e8dd5ffd94292f2e4f273f0b20f2ee

SHA512
4605f7cdbb818d8e422f085729f6e85a40ac9cec601e5efb55834b87460df144a692b954b85c4efafbf212cfefc24df06ffe20b42facc9bde0374054a477852d

Download Submit
C:\Users\Admin\AppData\Local\Temp\szumauym.exe

Filesize
164KB

MD5
c81e8878d918798ac66b721a230e418a

SHA1
da61219ef31095a8d4d98f7e960a27d5f6c43f10

SHA256
38252fcd96bf50bd5e18e5cec4c44f9467a47712b06a2cfc6168e21ef30606d0

SHA512
aaaa4504daa5c1169da740c31b6ffdc55f1ba7b32eb9bc430554a7880f3944936bef24aab30e690cba7c993a3fdb1c4bb51ba0fc803b078d93afe64a84f5f906

Download Submit
C:\Users\Admin\AppData\Local\Temp\szumauym.exe

Filesize
164KB

MD5
c81e8878d918798ac66b721a230e418a

SHA1
da61219ef31095a8d4d98f7e960a27d5f6c43f10

SHA256
38252fcd96bf50bd5e18e5cec4c44f9467a47712b06a2cfc6168e21ef30606d0

SHA512
aaaa4504daa5c1169da740c31b6ffdc55f1ba7b32eb9bc430554a7880f3944936bef24aab30e690cba7c993a3fdb1c4bb51ba0fc803b078d93afe64a84f5f906

Download Submit
memory/1868-5-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download