5ba15312e2288e65677abdc25f2d8de2c2b71f738da644e40f636a3a924fe9ec

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0870a85c968046400d667c544d7fe9ff.exe
Size

195KB
MD5

0870a85c968046400d667c544d7fe9ff
SHA1

e27554ef8707d9f65144d967542ed5679f67c863
SHA256

5ba15312e2288e65677abdc25f2d8de2c2b71f738da644e40f636a3a924fe9ec
SHA512

584684d40c17a7905a302b0902ee32ab83501219fc4c0b1ab4af75e8d6d1f2aa43f143866764b2701b5fa44de144c119cabab7c464894944f0f2597a97f6ff8f
SSDEEP

3072:WwxVMhOC/dTDbq91+mno3t4QZQ3rAH+fxjGkumxn0x5stF1544tLYKe9dKVFAyHn:WTfFDbRnOTrAaVXxLfDaUNPKGb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2736	install.exe

Loads dropped DLL 9 IoCs

pid	Process
2192	0870a85c968046400d667c544d7fe9ff.exe
2736	install.exe
2736	install.exe
2736	install.exe
2064	WerFault.exe
2064	WerFault.exe
2064	WerFault.exe
2064	WerFault.exe
2064	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2064	2736	WerFault.exe	24

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2736	2192	0870a85c968046400d667c544d7fe9ff.exe	24
PID 2192 wrote to memory of 2736	2192	0870a85c968046400d667c544d7fe9ff.exe	24
PID 2192 wrote to memory of 2736	2192	0870a85c968046400d667c544d7fe9ff.exe	24
PID 2192 wrote to memory of 2736	2192	0870a85c968046400d667c544d7fe9ff.exe	24
PID 2192 wrote to memory of 2736	2192	0870a85c968046400d667c544d7fe9ff.exe	24
PID 2192 wrote to memory of 2736	2192	0870a85c968046400d667c544d7fe9ff.exe	24
PID 2192 wrote to memory of 2736	2192	0870a85c968046400d667c544d7fe9ff.exe	24
PID 2736 wrote to memory of 2064	2736	install.exe	29
PID 2736 wrote to memory of 2064	2736	install.exe	29
PID 2736 wrote to memory of 2064	2736	install.exe	29
PID 2736 wrote to memory of 2064	2736	install.exe	29
PID 2736 wrote to memory of 2064	2736	install.exe	29
PID 2736 wrote to memory of 2064	2736	install.exe	29
PID 2736 wrote to memory of 2064	2736	install.exe	29

C:\Users\Admin\AppData\Local\Temp\0870a85c968046400d667c544d7fe9ff.exe
"C:\Users\Admin\AppData\Local\Temp\0870a85c968046400d667c544d7fe9ff.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 252
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe

Filesize
166KB

MD5
1fdc4cf8881ce1585a69f25aadb2356f

SHA1
0d89d78cd8abf70140d99c971f68c3980624d9a5

SHA256
b56c4292afa079bc99151a73a63b1477beb25ef383498ff2e610ed1d717042bd

SHA512
6ebfc7f262f62c4f0518a593e1aeabc95077bc1a449ceb485290041e22541d9e7d195bf6333110e502ef1dd161c7f6c0aa77c196926e83863e4a4897378024be

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe

Filesize
227KB

MD5
c6a510531ac72fdeac21b969455d006c

SHA1
31d79c9d36609ce0ecab6d83a3b3fdda6f82e17a

SHA256
a27964680ebd72b8c66d6ac820d440e5e94633f5a948f93cb178088b599b9c63

SHA512
ea222152ba1ab44c1226a34f20e939a0fe5528806de3cacfa3a55124879ae07cba14e27eaf5c2eca999df3103e577db88ebfce7da8e57c0d68a07cfa8bdbae8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe

Filesize
123KB

MD5
41dbf92b58ff5c1d3c8d674058e2ebd1

SHA1
1689740702153033eb22c0e7bbcb0628e9b7d130

SHA256
6405929ed8c949311f570cd6f2eed51f6953b73cafa66734cedd103b9aa894d1

SHA512
cd2b5c164b1af90fb2928227482004093f0fdb96cf2a06c581a9628bdbd37d24140f5b89fdf4755b2ab02f7ce488639997fe1a91fe1ffcc894fb82a0349891fe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe

Filesize
124KB

MD5
fb16b2df21fc9f216cf7f17b21bf9745

SHA1
106c59bbc201d0686a16e283e9bb532ff2e65b13

SHA256
0561bdba50b7d2b02496f56d294a4dde4acecef502321a9ce581844685760930

SHA512
6adc6dcd9fc9ff10842ceacde1670d6e39ac7cfe0413f1bd3ba6ed13b8541398538782bebbc58dc3c5eddfc68aaf100ff13a9490ea1c57bab4f4f1490b228267

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe

Filesize
118KB

MD5
a4d7f5172687835a5656fc620e2d04f9

SHA1
3a8a7e5bd2fe786d7664b32274356f67fde226df

SHA256
50e4aa61d99e90e6cef5d79fe551b20af4408f63febd97c24f036153fe9b57c3

SHA512
b115c389cebd016471abc539b5fa970132011438a53304bdd7f530d692ce40acdf4bc77887168fecb1911badff475c37d9904c564611faa9caccb2b7ef7fc679

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe

Filesize
155KB

MD5
10f6e3e31b108682b9a910bc546da8ec

SHA1
74f70cff6d9b8112b0e9b7564cfb6923a79dc04e

SHA256
88e5f25c13429381bcca726381a25ee2dac0453c0de70d341a51f91514a71e9d

SHA512
236a1609926404eaf95da5a9de403e759ccac9363639e690914396b6b683f9cc7440580be0795f2a2cc8d586a6dc70ab308717369a624dccf82c1c411b741e88

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe

Filesize
125KB

MD5
df3bf94af79e4f813f947b1edadbbf0a

SHA1
da79e5c4a6d18ed740a11d56bc911ef5d25b5e70

SHA256
ca475cc45cede3d17ebf4ee44e04f42a7dc147f1394b985089129e3903fcceb2

SHA512
121dbf9c8883a8c0a7abbee794daf280d6ef0330fd6c22d399a42a04898d916d34008420096b525384f060985d0dce380a6a0f9869def97cb9a3768660fa5925

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe

Filesize
210KB

MD5
ce20851e2d52a36660a3f1af4addb633

SHA1
3743cc4fd35606cc1e33c4eac9f00a301431649e

SHA256
cec38353bc32ebd86710335f88f282c1ced16f235e1a67818c9deb5c7173cc13

SHA512
3b2e675ad5de01ca9c25580d635c5c5ecdde0df84b0a706bc114835ceaa293099dbbf07aeaa415b37c7e03de1c70fbccef1020ec709c331269421c1ddffa6f0d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe

Filesize
121KB

MD5
d4b2d8949ac63eb1640cf43767257c64

SHA1
54f6bba2050500341d12917fc046797d1795512b

SHA256
a25585ca0a6d170c6a2963ff7736020fb9529d8f6250efc03b89539e6f279948

SHA512
babe77ace6b38826d86a30b7264d0fa185960de4326e5aaad6b84d6fb6858592de7b40b136512610c9a8e4fe704113f2822aaf20d2e45e2bf1ca061481feca96

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe

Filesize
237KB

MD5
16c5109dfc03f87f0efa1970691c5965

SHA1
ef708a2935ddd93e23e0b3bce45eb486cc54d32b

SHA256
8e79fc016453a67beedcd97a5085213ae8e10492638edccf10efc46d1f2f8bfa

SHA512
948fb1ee85e3c6257bba1c02ece5a5c4b93920b947946a05ef06ff00af12741d1de967f7d44a62fec86ed8de3d85f5e73fd7cb444dacabb3142074081632ba70

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe

Filesize
147KB

MD5
c6eb5a47b3962cb7d4f9c652415f6d7b

SHA1
b42c46395f493fcde539c72d529b5def893ecf24

SHA256
f62e76222d4639b75895bbb97dcb551d844e163a50f2a9758482eafc124061bc

SHA512
c5c026d692cd7b686978d68eec3205c546f98f855df1f48c64cd8a5dd5761aead2314d47b44f9f7febd672604618d43af7a7d876157064984282e3d7cd6444e8

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe

Filesize
129KB

MD5
6c918e65b9f333716f1478c2108f7b28

SHA1
b965b59d088fd37a48e28faff72e00127dfc2313

SHA256
99cb6a7ff1070d198a2c48a410cedfed51ceb74426566369e63b4469c5d45b22

SHA512
2aadaf0f085c0c56a54f3ff58d70072e517f49e7829edbeaf21c8682ddd633e6146f1932b527c59b7fe728578de7a72e35cf41d8a448a70adb5e0f6917f97788

Download Submit
memory/2192-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download