239c15afefb695afbdb1a5594b1932d8b7ed6ae52316510f96eaf06d93d7f637

Analysis

max time kernel
116s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16e8cbef6a9686ef140df6ea72ca7e91.exe
Size

878KB
MD5

16e8cbef6a9686ef140df6ea72ca7e91
SHA1

d8561e4a7be2f96a8390746f30f2c33aa5609b65
SHA256

239c15afefb695afbdb1a5594b1932d8b7ed6ae52316510f96eaf06d93d7f637
SHA512

b7698b65f6bf954a950a1c890da7e8aa758c5c4f83cd5429c57cf702c22ef9b1ec380f3b7319252330d9eae87ae2bb5c080278b90ac64638257663424a55ad5f
SSDEEP

24576:Mrb6BeG7lxoGMr8nYWHMLIuSPZArUWX0HAq5nsUHJRROkf:+DGBnlHMLIxZArU0kdBsGJ/P

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1148	b014b9dfac72f558d25c1c44d4bf5652.exe

Loads dropped DLL 1 IoCs

pid	Process
2260	16e8cbef6a9686ef140df6ea72ca7e91.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2216	1148	WerFault.exe	97

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 1148	2260	16e8cbef6a9686ef140df6ea72ca7e91.exe	97
PID 2260 wrote to memory of 1148	2260	16e8cbef6a9686ef140df6ea72ca7e91.exe	97
PID 2260 wrote to memory of 1148	2260	16e8cbef6a9686ef140df6ea72ca7e91.exe	97

C:\Users\Admin\AppData\Local\Temp\16e8cbef6a9686ef140df6ea72ca7e91.exe
"C:\Users\Admin\AppData\Local\Temp\16e8cbef6a9686ef140df6ea72ca7e91.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Temp\b014b9dfac72f558d25c1c44d4bf5652.exe
  C:\Users\Admin\AppData\Local\Temp\b014b9dfac72f558d25c1c44d4bf5652.exe
  2⤵
  - Executes dropped EXE
  PID:1148
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 484
    3⤵
    - Program crash
    PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1148 -ip 1148
1⤵
PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b014b9dfac72f558d25c1c44d4bf5652.exe

Filesize
778KB

MD5
9b2f7e680d811e22d3d9c25d4b3190ef

SHA1
cade75e9eeebc918167941a5fc06e62b0f1b5d12

SHA256
247d863a3328ff308da71b6d5dc4b7cdab283c59d3582e398066d6ce1c41279a

SHA512
87325695b342c4f386877e6633a53356dd8a3101ab5997b71fc12886203b16caa2bd1f659cdb6032a59ec24b8acc63621e9512a0d0d4b846fb38a36e2d6869ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr703A.tmp\nxs.dll

Filesize
6KB

MD5
8ca09b6200ffa05b54c6672d855beb4a

SHA1
daa16fe49c8b2250e9d2383b861cda51f876de49

SHA256
033e93ad470241c92762924ccfceafb849a525e263e5d4a3dbcfc2e07a8803c3

SHA512
6ab97181ec45430888d8ad3fd411de22423e1c057833e282af085a975198338c95f7ba10b7c69f33298afc88ddd38d01ab010998fd4a8ba8abb8561796bf9f14

Download Submit
memory/1148-13-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1148-18-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download