Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
08/12/2023, 10:25
Static task
static1
Behavioral task
behavioral1
Sample
KO98765456700.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
KO98765456700.exe
Resource
win10v2004-20231130-en
General
-
Target
KO98765456700.exe
-
Size
588KB
-
MD5
48a8c7c04787860d0b433581a404ba34
-
SHA1
1c675b13fa28944232ec919b458c7da4a2bd43b2
-
SHA256
27d2d0578f8c2ef2ed8055dfc2594af414222a0914e2740a0c12adb9db424e9d
-
SHA512
b8d45391b6f0c3d6d1da61d2dc964e60925133cfca7f840cb9753f257494f5fa16997b91295fb26e5e216291702b712efd2fbbce7b52186c63222546612cfe4c
-
SSDEEP
12288:BxL8DKn1sgl+4gXGMz4hQHjAl7ZEs7SroJZucXou:BhMKnv+Z2MEhQ8ldMUucX/
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 892 qjwofl.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lueajfoxt = "C:\\Users\\Admin\\AppData\\Roaming\\mhqavfokt\\pyienwcxhq.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\qjwofl.exe\" " qjwofl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4904 892 WerFault.exe 87 -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1548 wrote to memory of 892 1548 KO98765456700.exe 87 PID 1548 wrote to memory of 892 1548 KO98765456700.exe 87 PID 1548 wrote to memory of 892 1548 KO98765456700.exe 87 PID 892 wrote to memory of 608 892 qjwofl.exe 92 PID 892 wrote to memory of 608 892 qjwofl.exe 92 PID 892 wrote to memory of 608 892 qjwofl.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\KO98765456700.exe"C:\Users\Admin\AppData\Local\Temp\KO98765456700.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\qjwofl.exe"C:\Users\Admin\AppData\Local\Temp\qjwofl.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Users\Admin\AppData\Local\Temp\qjwofl.exe"C:\Users\Admin\AppData\Local\Temp\qjwofl.exe"3⤵PID:608
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 6883⤵
- Program crash
PID:4904
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 892 -ip 8921⤵PID:3948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5e9e36c00a6bdc83b58f2f005d9230560
SHA14517889931bac4911012e6c40f26664553316b86
SHA256f3b88a87391d8978784342aa4cf1d02c58b65051b6003d9643e5cb0b1fa38a49
SHA5120af04537930dbd11a0524769781d2a03bd1282bf55f0e14e990fecf70d31a30f8bf4554c600125f0296617746a8822b29ab45ee7670874792905141af4f1e9ab
-
Filesize
168KB
MD5e9e36c00a6bdc83b58f2f005d9230560
SHA14517889931bac4911012e6c40f26664553316b86
SHA256f3b88a87391d8978784342aa4cf1d02c58b65051b6003d9643e5cb0b1fa38a49
SHA5120af04537930dbd11a0524769781d2a03bd1282bf55f0e14e990fecf70d31a30f8bf4554c600125f0296617746a8822b29ab45ee7670874792905141af4f1e9ab
-
Filesize
502KB
MD5d1422dcc186dd0d33d4ee348049b7066
SHA11798099cde18c883af8cff25d213ab51b454d373
SHA2560f1e81839fb040ce10485c8be5c6102546e8673aac91f78813d9ca439017957a
SHA512ca6b9741abbaa59358af118efeaabe8758b793036132f879783d41c77551c246b5456f0b22f455d77c3571cb697f3768293a10aee7c719b9fe8d63de52dfd02d