86608bbc9a9aa6e01636680205ef421bc37aeff7312960a821989f1eea7b3540

Analysis

max time kernel
92s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2023 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

purchase orders.exe
Size

407KB
MD5

e9f8fff3341f84d5f76570fd5068b8b5
SHA1

7daebfd9193ff0c4925523d470d71ff12d692f98
SHA256

86608bbc9a9aa6e01636680205ef421bc37aeff7312960a821989f1eea7b3540
SHA512

80fcd35320752592e7e163b5d50df19c01d061596bc411e0de7a666c156f28973b11fc8760c56a64382b22ddaf2c6aa05092ba1aba496970a0afcf7e6ed935ec
SSDEEP

12288:D9WEeYF2adf4qD7Wz+oHvu7oUgLCPj4tF2:D9WEeJhM35UUGAwU

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

uxtaxvs.exe

pid process

3860 uxtaxvs.exe

pid	process
3860	uxtaxvs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

uxtaxvs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1791582586-1997866593-3795608343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fnjsso = "C:\\Users\\Admin\\AppData\\Roaming\\yirrnwwgcclhhq\\aavf.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\uxtaxvs.exe\" "	uxtaxvs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3168 3860 WerFault.exe uxtaxvs.exe

pid	pid_target	process	target process
3168	3860	WerFault.exe	uxtaxvs.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

purchase orders.exeuxtaxvs.exe

description	pid	process	target process
PID 4604 wrote to memory of 3860	4604	purchase orders.exe	uxtaxvs.exe
PID 4604 wrote to memory of 3860	4604	purchase orders.exe	uxtaxvs.exe
PID 4604 wrote to memory of 3860	4604	purchase orders.exe	uxtaxvs.exe
PID 3860 wrote to memory of 4860	3860	uxtaxvs.exe	uxtaxvs.exe
PID 3860 wrote to memory of 4860	3860	uxtaxvs.exe	uxtaxvs.exe
PID 3860 wrote to memory of 4860	3860	uxtaxvs.exe	uxtaxvs.exe

C:\Users\Admin\AppData\Local\Temp\purchase orders.exe
"C:\Users\Admin\AppData\Local\Temp\purchase orders.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4604

C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe
"C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3860

C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe
"C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe"
3⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 680
3⤵
- Program crash
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3860 -ip 3860
1⤵
PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gdiyqwb.im

Filesize
334KB

MD5
7e9a72d139878ecf2699b44f890e14b8

SHA1
23a55bd2a648fe65dc25356beb5be8c44d718147

SHA256
545fed32d85fd13dee67e82dba632a2a8f54f7c9a101ef68136c457f5ad6b4e2

SHA512
bc1d5687488fbff994ac89e149c0607fa02a129742536dd4939f8fc1a3c5815377d17d7c35d197a6b0eac423d44606b8d690ec49ac3dc5992763dc449b414331

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe

Filesize
169KB

MD5
c9fd2ae104aacc62a6d543db3bdf70b2

SHA1
4111132302640eaed75782acbe3541c73df03c3a

SHA256
66da97b966ac27a59f60aceabad03fb2f5cc74f958147e4031dc7ae188d002df

SHA512
706503ba49ecdfb165f2e4d57f71eb7294fdf8f95c4f82e96097251f09d94f56aa32ac27a8c004099e6cb03ad9eab32e428eb06146e6e0178bf19d2c458e26fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe

Filesize
169KB

MD5
c9fd2ae104aacc62a6d543db3bdf70b2

SHA1
4111132302640eaed75782acbe3541c73df03c3a

SHA256
66da97b966ac27a59f60aceabad03fb2f5cc74f958147e4031dc7ae188d002df

SHA512
706503ba49ecdfb165f2e4d57f71eb7294fdf8f95c4f82e96097251f09d94f56aa32ac27a8c004099e6cb03ad9eab32e428eb06146e6e0178bf19d2c458e26fa

Download Submit
memory/3860-5-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download