Analysis
-
max time kernel
100s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2023 02:20
Static task
static1
Behavioral task
behavioral1
Sample
eb000e1dcd32b865b9ab28720b05953e630f8602faea420f2a60676745479a9b.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
eb000e1dcd32b865b9ab28720b05953e630f8602faea420f2a60676745479a9b.exe
Resource
win10v2004-20231130-en
General
-
Target
eb000e1dcd32b865b9ab28720b05953e630f8602faea420f2a60676745479a9b.exe
-
Size
419KB
-
MD5
748587ad382b73ec3619f951b9c0f520
-
SHA1
1867110007560593e22f2a45d354c35099dcdd74
-
SHA256
eb000e1dcd32b865b9ab28720b05953e630f8602faea420f2a60676745479a9b
-
SHA512
41715aa653807cdf099fb6f999ea5eb36b77a203502e3ff708620696a84f2c9bf14b27e16368c1122d1718cca6fdd5b39324bbe6f6654c124f535d191e8f252c
-
SSDEEP
6144:P8LxBgg2Z/zHvU7RD+0c+7jsZ37cOG4CIrAntf24fP2UPDK1WvXC9MaPBA:w2Z/zHWA0c+3W3ObIrAnVf1LK1Wv3OK
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
qdslvzkqg.exepid process 384 qdslvzkqg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5052 384 WerFault.exe qdslvzkqg.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
eb000e1dcd32b865b9ab28720b05953e630f8602faea420f2a60676745479a9b.exeqdslvzkqg.exedescription pid process target process PID 4896 wrote to memory of 384 4896 eb000e1dcd32b865b9ab28720b05953e630f8602faea420f2a60676745479a9b.exe qdslvzkqg.exe PID 4896 wrote to memory of 384 4896 eb000e1dcd32b865b9ab28720b05953e630f8602faea420f2a60676745479a9b.exe qdslvzkqg.exe PID 4896 wrote to memory of 384 4896 eb000e1dcd32b865b9ab28720b05953e630f8602faea420f2a60676745479a9b.exe qdslvzkqg.exe PID 384 wrote to memory of 1324 384 qdslvzkqg.exe qdslvzkqg.exe PID 384 wrote to memory of 1324 384 qdslvzkqg.exe qdslvzkqg.exe PID 384 wrote to memory of 1324 384 qdslvzkqg.exe qdslvzkqg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb000e1dcd32b865b9ab28720b05953e630f8602faea420f2a60676745479a9b.exe"C:\Users\Admin\AppData\Local\Temp\eb000e1dcd32b865b9ab28720b05953e630f8602faea420f2a60676745479a9b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\qdslvzkqg.exe"C:\Users\Admin\AppData\Local\Temp\qdslvzkqg.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Users\Admin\AppData\Local\Temp\qdslvzkqg.exe"C:\Users\Admin\AppData\Local\Temp\qdslvzkqg.exe"3⤵PID:1324
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 6643⤵
- Program crash
PID:5052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 384 -ip 3841⤵PID:3624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
333KB
MD5ca1c97ce2afd887ef84dbd4592e234e8
SHA12922fe8e316321b5762058f4f24b6415450122fe
SHA2560046c6a752df509a293fcbfa9665923c6ac4310d59bdbaf102704cf4ec4c3247
SHA512faad180d9d2155577af4c7a1573a7433dda0050d53773df8d7a32d69db7052001aa9097c9c82618700627d9a563a378ac04367334b6a67bbae3392f56919c13d
-
Filesize
165KB
MD51b8d8633ac4e79b156290d394f181047
SHA1c4434ea803b10c58d37d8383e3e9da2732993d28
SHA256046380e2a000529cddb9aa5454967f78432fdcc0c238568cda2594c113f2584b
SHA512d624223e8df35b873ec296299df34b2e8a3352af2f2fb8f4eea3134e04b046f6b03385536a3beeb71ecd24390cf3ec92d8b48a200152d7a6760f09d35402e0a4