b949e5a78556d06a3656dfc72c55aa79c81b484dbf9bfffc79978fda100b116f

Analysis

max time kernel
3s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 05:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6e64540297c63289dfe68b00674cef29.exe
Size

1003KB
MD5

6e64540297c63289dfe68b00674cef29
SHA1

11cf6657653bef2839029a050f3917fd39baf8ab
SHA256

b949e5a78556d06a3656dfc72c55aa79c81b484dbf9bfffc79978fda100b116f
SHA512

405d0e80536c810360c93c5724c1c2158f4543743bc24ad039e78ba491aaf817f98fa3189911727b0dd0c31dd0963cd862edc3ef120609fbd8f1ecd996ed58e6
SSDEEP

24576:9pKTM9GllRFFzQ3WIL8eymlHDbLF35jsHqE:90TMIllnBQ3WIL8eZHD1pIT

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4500	6e64540297c63289dfe68b00674cef29.exe

Executes dropped EXE 1 IoCs

pid	Process
4500	6e64540297c63289dfe68b00674cef29.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3908-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/memory/4500-14-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/files/0x000f000000023151-12.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 18 IoCs

pid	pid_target	Process	procid_target
628	4500	WerFault.exe	21
4412	4500	WerFault.exe	21
1188	4500	WerFault.exe	21
1300	4500	WerFault.exe	21
4972	4500	WerFault.exe	21
2596	4500	WerFault.exe	21
4384	4500	WerFault.exe	21
4404	4500	WerFault.exe	21
2520	4500	WerFault.exe	21
2628	4500	WerFault.exe	21
1412	4500	WerFault.exe	21
4624	4500	WerFault.exe	21
4300	4500	WerFault.exe	21
5028	4500	WerFault.exe	21
1400	4500	WerFault.exe	21
3080	4500	WerFault.exe	21
388	4500	WerFault.exe	21
3352	4500	WerFault.exe	21

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2888	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3908	6e64540297c63289dfe68b00674cef29.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3908	6e64540297c63289dfe68b00674cef29.exe
4500	6e64540297c63289dfe68b00674cef29.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 4500	3908	6e64540297c63289dfe68b00674cef29.exe	21
PID 3908 wrote to memory of 4500	3908	6e64540297c63289dfe68b00674cef29.exe	21
PID 3908 wrote to memory of 4500	3908	6e64540297c63289dfe68b00674cef29.exe	21
PID 4500 wrote to memory of 2888	4500	6e64540297c63289dfe68b00674cef29.exe	22
PID 4500 wrote to memory of 2888	4500	6e64540297c63289dfe68b00674cef29.exe	22
PID 4500 wrote to memory of 2888	4500	6e64540297c63289dfe68b00674cef29.exe	22
PID 4500 wrote to memory of 4616	4500	6e64540297c63289dfe68b00674cef29.exe	31
PID 4500 wrote to memory of 4616	4500	6e64540297c63289dfe68b00674cef29.exe	31
PID 4500 wrote to memory of 4616	4500	6e64540297c63289dfe68b00674cef29.exe	31
PID 4616 wrote to memory of 3644	4616	cmd.exe	25
PID 4616 wrote to memory of 3644	4616	cmd.exe	25
PID 4616 wrote to memory of 3644	4616	cmd.exe	25

C:\Users\Admin\AppData\Local\Temp\6e64540297c63289dfe68b00674cef29.exe
"C:\Users\Admin\AppData\Local\Temp\6e64540297c63289dfe68b00674cef29.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Users\Admin\AppData\Local\Temp\6e64540297c63289dfe68b00674cef29.exe
  C:\Users\Admin\AppData\Local\Temp\6e64540297c63289dfe68b00674cef29.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\6e64540297c63289dfe68b00674cef29.exe" /TN mCaqQXkK46ae /F
    3⤵
    - Creates scheduled task(s)
    PID:2888
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 608
    3⤵
    - Program crash
    PID:628
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN mCaqQXkK46ae > C:\Users\Admin\AppData\Local\Temp\r8Sax7HY.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4616
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 604
    3⤵
    - Program crash
    PID:4412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 640
    3⤵
    - Program crash
    PID:1188
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 716
    3⤵
    - Program crash
    PID:1300
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 716
    3⤵
    - Program crash
    PID:4972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 780
    3⤵
    - Program crash
    PID:2596
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1488
    3⤵
    - Program crash
    PID:4384
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1908
    3⤵
    - Program crash
    PID:4404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 2144
    3⤵
    - Program crash
    PID:2520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 2096
    3⤵
    - Program crash
    PID:2628
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1924
    3⤵
    - Program crash
    PID:1412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1912
    3⤵
    - Program crash
    PID:4624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1940
    3⤵
    - Program crash
    PID:4300
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1916
    3⤵
    - Program crash
    PID:5028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1988
    3⤵
    - Program crash
    PID:1400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1960
    3⤵
    - Program crash
    PID:3080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 2140
    3⤵
    - Program crash
    PID:388
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 568
    3⤵
    - Program crash
    PID:3352

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN mCaqQXkK46ae
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4500 -ip 4500
1⤵
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4500 -ip 4500
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4500 -ip 4500
1⤵
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4500 -ip 4500
1⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4500 -ip 4500
1⤵
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4500 -ip 4500
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4500 -ip 4500
1⤵
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4500 -ip 4500
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4500 -ip 4500
1⤵
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4500 -ip 4500
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4500 -ip 4500
1⤵
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4500 -ip 4500
1⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4500 -ip 4500
1⤵
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4500 -ip 4500
1⤵
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4500 -ip 4500
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4500 -ip 4500
1⤵
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 4500 -ip 4500
1⤵
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 4500 -ip 4500
1⤵
PID:4300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6e64540297c63289dfe68b00674cef29.exe

Filesize
70KB

MD5
0806bdbe0977889dd16d0e0ab235b8e1

SHA1
82a8c72225723d820211de864833a9afc7e29a27

SHA256
314591e2444cc9f4b06d420c8c5e93dc0c0a688f4d7942a95327ed1099195458

SHA512
8852ce9af594c5b4b2645bfff3419e9ac761470fc203332350b6ec10bdde906a2d7c4dddca5fd1233c4ba72c4330a302158236fd53b8b0e97ffc8876f2644a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\r8Sax7HY.xml

Filesize
1KB

MD5
e3060e790b00312df93e5fc85f994ab9

SHA1
06f86a4f461a28bbd71cfe7c8989508fcee645cc

SHA256
7f7f2e7a395ec0e08106e4e46a16cf6e59acafc14d4386609fd00196957d1536

SHA512
084b75eedf0baf478ef49609936805439890b3290dfd086fef16708a74b2511857d04e5689c0d4de9057fffc0636d26567b27efb0ff6034550991efa9ad8f1c5

Download Submit
memory/3908-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3908-5-0x0000000025000000-0x000000002507E000-memory.dmp

Filesize
504KB

Download
memory/3908-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3908-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4500-23-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/4500-22-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4500-18-0x0000000024FE0000-0x000000002505E000-memory.dmp

Filesize
504KB

Download
memory/4500-14-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/4500-40-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads