383ebd9a31e3f1874901c32fbfb2310bce1d2e3d924f2b238e145ac9da608ff8

Analysis

max time kernel
3s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2023 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c940abd49dd66ca56a2e730559693402.exe
Size

1003KB
MD5

c940abd49dd66ca56a2e730559693402
SHA1

ef485356936ed0693522ae5c9538c39fed789fc6
SHA256

383ebd9a31e3f1874901c32fbfb2310bce1d2e3d924f2b238e145ac9da608ff8
SHA512

52e012484fc835f0112475ec4295a0faa1faf4198f16fb4b145f5c6446d84d108e90d3c595cc80808ec9f3c233829ac10dac2b2fde2663605e02dfa408e9733f
SSDEEP

24576:m+3Edqfw8Rqzj9GeVuLLwNa0erkZdEx3Knx6Y6:m+3EdqI8R2j9GeVCLwNBerkZdEx3Kns

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1988	c940abd49dd66ca56a2e730559693402.exe

Executes dropped EXE 1 IoCs

pid	Process
1988	c940abd49dd66ca56a2e730559693402.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4100-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/files/0x000700000002320d-13.dat	upx
behavioral2/memory/1988-14-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 17 IoCs

pid	pid_target	Process	procid_target
3092	1988	WerFault.exe	88
1568	1988	WerFault.exe	88
2064	1988	WerFault.exe	88
5116	1988	WerFault.exe	88
2224	1988	WerFault.exe	88
1632	1988	WerFault.exe	88
4052	1988	WerFault.exe	88
516	1988	WerFault.exe	88
4808	1988	WerFault.exe	88
4204	1988	WerFault.exe	88
3992	1988	WerFault.exe	88
4080	1988	WerFault.exe	88
4348	1988	WerFault.exe	88
4912	1988	WerFault.exe	88
4356	1988	WerFault.exe	88
2772	1988	WerFault.exe	88
4312	1988	WerFault.exe	88

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3424	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4100	c940abd49dd66ca56a2e730559693402.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4100	c940abd49dd66ca56a2e730559693402.exe
1988	c940abd49dd66ca56a2e730559693402.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 1988	4100	c940abd49dd66ca56a2e730559693402.exe	88
PID 4100 wrote to memory of 1988	4100	c940abd49dd66ca56a2e730559693402.exe	88
PID 4100 wrote to memory of 1988	4100	c940abd49dd66ca56a2e730559693402.exe	88
PID 1988 wrote to memory of 3424	1988	c940abd49dd66ca56a2e730559693402.exe	91
PID 1988 wrote to memory of 3424	1988	c940abd49dd66ca56a2e730559693402.exe	91
PID 1988 wrote to memory of 3424	1988	c940abd49dd66ca56a2e730559693402.exe	91
PID 1988 wrote to memory of 5040	1988	c940abd49dd66ca56a2e730559693402.exe	98
PID 1988 wrote to memory of 5040	1988	c940abd49dd66ca56a2e730559693402.exe	98
PID 1988 wrote to memory of 5040	1988	c940abd49dd66ca56a2e730559693402.exe	98
PID 5040 wrote to memory of 4652	5040	cmd.exe	93
PID 5040 wrote to memory of 4652	5040	cmd.exe	93
PID 5040 wrote to memory of 4652	5040	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\c940abd49dd66ca56a2e730559693402.exe
"C:\Users\Admin\AppData\Local\Temp\c940abd49dd66ca56a2e730559693402.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Users\Admin\AppData\Local\Temp\c940abd49dd66ca56a2e730559693402.exe
  C:\Users\Admin\AppData\Local\Temp\c940abd49dd66ca56a2e730559693402.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\c940abd49dd66ca56a2e730559693402.exe" /TN 1WOV8tOcae1c /F
    3⤵
    - Creates scheduled task(s)
    PID:3424
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 616
    3⤵
    - Program crash
    PID:3092
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN 1WOV8tOcae1c > C:\Users\Admin\AppData\Local\Temp\dPazfY.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 652
    3⤵
    - Program crash
    PID:1568
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 660
    3⤵
    - Program crash
    PID:2064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 724
    3⤵
    - Program crash
    PID:5116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 724
    3⤵
    - Program crash
    PID:2224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 784
    3⤵
    - Program crash
    PID:1632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1464
    3⤵
    - Program crash
    PID:4052
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1920
    3⤵
    - Program crash
    PID:516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 2144
    3⤵
    - Program crash
    PID:4808
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1932
    3⤵
    - Program crash
    PID:4204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1944
    3⤵
    - Program crash
    PID:3992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1920
    3⤵
    - Program crash
    PID:4080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 2256
    3⤵
    - Program crash
    PID:4348
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 2108
    3⤵
    - Program crash
    PID:4912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 2252
    3⤵
    - Program crash
    PID:4356
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1924
    3⤵
    - Program crash
    PID:2772
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 648
    3⤵
    - Program crash
    PID:4312

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN 1WOV8tOcae1c
1⤵
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1988 -ip 1988
1⤵
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1988 -ip 1988
1⤵
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1988 -ip 1988
1⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1988 -ip 1988
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1988 -ip 1988
1⤵
PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1988 -ip 1988
1⤵
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1988 -ip 1988
1⤵
PID:2872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1988 -ip 1988
1⤵
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1988 -ip 1988
1⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1988 -ip 1988
1⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1988 -ip 1988
1⤵
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1988 -ip 1988
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1988 -ip 1988
1⤵
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1988 -ip 1988
1⤵
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1988 -ip 1988
1⤵
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1988 -ip 1988
1⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1988 -ip 1988
1⤵
PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c940abd49dd66ca56a2e730559693402.exe

Filesize
8KB

MD5
0c9a1cfaea556070cab99437234e3edd

SHA1
882dbcc2d69f3d4f8035acfb56b1b1a95866df2c

SHA256
92cc789dcb4a3e0bda0438150578a8cf6a07117bcd07a1c9ca108a30d30ea1a3

SHA512
30e8f6787e141bc64b3191a7449bbcc359e3aa0c7766721c6f2ccab87c4b404b6b770a1d86b9dd92615d875fd61e5e922922f78f388c96b0793a0ddd7d5735ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\dPazfY.xml

Filesize
1KB

MD5
8f61a1c296a6355067c23274bdac7f97

SHA1
cf3880c5936aebe57589202a48afcddec3176bd8

SHA256
f799a89e380087fee45e06ab2173d62ca4840a20f2a92ad8f4723660d7dc6abe

SHA512
0ca7b3581d400ce10b4ba2d7617756d0a805b4aa1632410ddfcd243fa6f50c1da1267aabe64e4aedb1952d05475f32fc1033b2477293fab4fed2430a9e107808

Download Submit
memory/1988-14-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1988-16-0x0000000001720000-0x000000000179E000-memory.dmp

Filesize
504KB

Download
memory/1988-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1988-22-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/1988-40-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/4100-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/4100-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4100-4-0x0000000025020000-0x000000002509E000-memory.dmp

Filesize
504KB

Download
memory/4100-12-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads