d5685b7576875be2c14879906191e0817ff0fab11b0075d89a92445ad93c1191

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0874d77f9d19a2668da6e8a4ea44e5b2.exe
Size

203KB
MD5

0874d77f9d19a2668da6e8a4ea44e5b2
SHA1

422955180edf85c8f28ae06fc84a7498613594d0
SHA256

d5685b7576875be2c14879906191e0817ff0fab11b0075d89a92445ad93c1191
SHA512

590566d9466a4580595030a7bb2a16d28a962ed5b6c0ed7082f9308d27efae6fb41697281518b44efd83ab47be7da278f8c7eb3ba037092764730700e12bc5cd
SSDEEP

3072:aVG6UVYxmJhU40XGRkTjuIWnGPDXHV0wcFS+p3z67C3gA2QQCTK8bOfbvp7EH/E7:yh17XtTKGPD10fFx3WbA23CNbOThIcWe

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2440	nsFB72.tmp
2200	check.exe
2608	tmp1.exe
2632	tmp2.exe

Loads dropped DLL 26 IoCs

pid	Process
2448	0874d77f9d19a2668da6e8a4ea44e5b2.exe
2448	0874d77f9d19a2668da6e8a4ea44e5b2.exe
2448	0874d77f9d19a2668da6e8a4ea44e5b2.exe
2440	nsFB72.tmp
2440	nsFB72.tmp
2200	check.exe
2200	check.exe
2200	check.exe
2448	0874d77f9d19a2668da6e8a4ea44e5b2.exe
2448	0874d77f9d19a2668da6e8a4ea44e5b2.exe
2608	tmp1.exe
2608	tmp1.exe
2608	tmp1.exe
2448	0874d77f9d19a2668da6e8a4ea44e5b2.exe
2448	0874d77f9d19a2668da6e8a4ea44e5b2.exe
2632	tmp2.exe
2632	tmp2.exe
2632	tmp2.exe
2516	WerFault.exe
2516	WerFault.exe
2516	WerFault.exe
2516	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2516	2608	WerFault.exe	20
2648	2632	WerFault.exe	19

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2448	0874d77f9d19a2668da6e8a4ea44e5b2.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2440	2448	0874d77f9d19a2668da6e8a4ea44e5b2.exe	23
PID 2448 wrote to memory of 2440	2448	0874d77f9d19a2668da6e8a4ea44e5b2.exe	23
PID 2448 wrote to memory of 2440	2448	0874d77f9d19a2668da6e8a4ea44e5b2.exe	23
PID 2448 wrote to memory of 2440	2448	0874d77f9d19a2668da6e8a4ea44e5b2.exe	23
PID 2448 wrote to memory of 2440	2448	0874d77f9d19a2668da6e8a4ea44e5b2.exe	23
PID 2448 wrote to memory of 2440	2448	0874d77f9d19a2668da6e8a4ea44e5b2.exe	23
PID 2448 wrote to memory of 2440	2448	0874d77f9d19a2668da6e8a4ea44e5b2.exe	23
PID 2440 wrote to memory of 2200	2440	nsFB72.tmp	21
PID 2440 wrote to memory of 2200	2440	nsFB72.tmp	21
PID 2440 wrote to memory of 2200	2440	nsFB72.tmp	21
PID 2440 wrote to memory of 2200	2440	nsFB72.tmp	21
PID 2440 wrote to memory of 2200	2440	nsFB72.tmp	21
PID 2440 wrote to memory of 2200	2440	nsFB72.tmp	21
PID 2440 wrote to memory of 2200	2440	nsFB72.tmp	21
PID 2448 wrote to memory of 2608	2448	0874d77f9d19a2668da6e8a4ea44e5b2.exe	20
PID 2448 wrote to memory of 2608	2448	0874d77f9d19a2668da6e8a4ea44e5b2.exe	20
PID 2448 wrote to memory of 2608	2448	0874d77f9d19a2668da6e8a4ea44e5b2.exe	20
PID 2448 wrote to memory of 2608	2448	0874d77f9d19a2668da6e8a4ea44e5b2.exe	20
PID 2448 wrote to memory of 2608	2448	0874d77f9d19a2668da6e8a4ea44e5b2.exe	20
PID 2448 wrote to memory of 2608	2448	0874d77f9d19a2668da6e8a4ea44e5b2.exe	20
PID 2448 wrote to memory of 2608	2448	0874d77f9d19a2668da6e8a4ea44e5b2.exe	20
PID 2448 wrote to memory of 2632	2448	0874d77f9d19a2668da6e8a4ea44e5b2.exe	19
PID 2448 wrote to memory of 2632	2448	0874d77f9d19a2668da6e8a4ea44e5b2.exe	19
PID 2448 wrote to memory of 2632	2448	0874d77f9d19a2668da6e8a4ea44e5b2.exe	19
PID 2448 wrote to memory of 2632	2448	0874d77f9d19a2668da6e8a4ea44e5b2.exe	19
PID 2448 wrote to memory of 2632	2448	0874d77f9d19a2668da6e8a4ea44e5b2.exe	19
PID 2448 wrote to memory of 2632	2448	0874d77f9d19a2668da6e8a4ea44e5b2.exe	19
PID 2448 wrote to memory of 2632	2448	0874d77f9d19a2668da6e8a4ea44e5b2.exe	19
PID 2608 wrote to memory of 2516	2608	tmp1.exe	22
PID 2608 wrote to memory of 2516	2608	tmp1.exe	22
PID 2608 wrote to memory of 2516	2608	tmp1.exe	22
PID 2608 wrote to memory of 2516	2608	tmp1.exe	22
PID 2608 wrote to memory of 2516	2608	tmp1.exe	22
PID 2608 wrote to memory of 2516	2608	tmp1.exe	22
PID 2608 wrote to memory of 2516	2608	tmp1.exe	22
PID 2632 wrote to memory of 2648	2632	tmp2.exe	24
PID 2632 wrote to memory of 2648	2632	tmp2.exe	24
PID 2632 wrote to memory of 2648	2632	tmp2.exe	24
PID 2632 wrote to memory of 2648	2632	tmp2.exe	24
PID 2632 wrote to memory of 2648	2632	tmp2.exe	24
PID 2632 wrote to memory of 2648	2632	tmp2.exe	24
PID 2632 wrote to memory of 2648	2632	tmp2.exe	24

C:\Users\Admin\AppData\Local\Temp\0874d77f9d19a2668da6e8a4ea44e5b2.exe
"C:\Users\Admin\AppData\Local\Temp\0874d77f9d19a2668da6e8a4ea44e5b2.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Users\Admin\AppData\Local\Temp\tmp2.exe
  tmp2.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 252
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2648
- C:\Users\Admin\AppData\Local\Temp\tmp1.exe
  tmp1.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 252
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2516
- C:\Users\Admin\AppData\Local\Temp\nstFB71.tmp\nsFB72.tmp
  "C:\Users\Admin\AppData\Local\Temp\nstFB71.tmp\nsFB72.tmp" "C:\Users\Admin\AppData\Local\Temp\check.exe" e -o+ -pdwPud7lfqhm5VGMCkBWYKE5j8mex4 package.tmp
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2440

C:\Users\Admin\AppData\Local\Temp\check.exe
"C:\Users\Admin\AppData\Local\Temp\check.exe" e -o+ -pdwPud7lfqhm5VGMCkBWYKE5j8mex4 package.tmp
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\check.exe

Filesize
64KB

MD5
0e73207e61e250c76b22a2c1f691c849

SHA1
46bcd45b5e8c15b38648a38c9bc569b2dcc58654

SHA256
baa616544e58b85d3fa9ed53688cdd9ef51844c27537da9b03ce3092a4843d87

SHA512
0b3d0f50c709f37910c85d65417f85295d6f66d355db20dd4e28c7618a7b81f9474da97a6d220ed2ed801e46382295ad8b4ccab9ba0101a8be25863679d793b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\check.exe

Filesize
28KB

MD5
e1039cfdd7c0f40b1a3370e48c1e56d3

SHA1
965ff49f6f17d291534d92cec03f6e985abc07ed

SHA256
2081069ccf240e5ccaf96c09f31c842c8b30799fc5b35fbdec9029e13acf90f5

SHA512
9cd9a872bb6cd5d9239711e55195ab57eb9aacface3c4c3e3c5b587ea827320b0ce34de70dbbab60ba930d347d4ad44371fc3c9a571bb32bdf07e293b9283170

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstFB71.tmp\nsExec.dll

Filesize
6KB

MD5
165d8d1e0c21b60862079368b063b25b

SHA1
a553c91c70eed07cfc27ac0d333dc7ca1e32c2c4

SHA256
db80fa3f48a227e91d16fe81eeae96dc15e8fd29fc4c4f8feb21b00c5dc19534

SHA512
f590932c2e933e029435bb8346239fe01ae54b0a16c9c377f0c779fc5b6f8c64ed285c54be0372bb395fafcedbf40c79735263b5ca1310e7adbf7fbe628cb87b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstFB71.tmp\nsFB72.tmp

Filesize
6KB

MD5
412ccf8db992b93ecb598da8c07367be

SHA1
dceb6e337931ed0c4de084d0a52d719a61cd2c73

SHA256
e6c4f87160b647c8a8ddd5d494342692091cec409e664253b95b35c6abe7c5d1

SHA512
3dfb51523c075ac41778d76fd2a8f3a5384923d253fdebebe56a5c018fb23d9eb4057ea1a207731afb38c4803e304655c6b8b37e169957727043d7eb76daa55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\package.tmp

Filesize
36KB

MD5
524b570cbdf762f8257b518088a21422

SHA1
e3795c41b2b517bca16a5d188879ec32f83f868a

SHA256
10adb61dab3d99a5a83048e4034a2e0938beecf9d6015f422b7e9eb28dde0a60

SHA512
d79574531bb59f6f121ef7d3eb80475c6a7c9ec386529b65d4b097950084e8a0be9554b1677dbaa5103d9215115b980e4f1a217a7f2665cc040eb7297b6c2013

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1.exe

Filesize
69KB

MD5
d06bca209a515e90b5b1aa7777aeee8b

SHA1
bb0fe2743643f5f7b4fe01df1232461aca2a13fe

SHA256
19b9117d3c9642048d060228e13f3ac828991d91d94da962e5636d369e0862c2

SHA512
a44024db7b0e2a99937e2e3867cec75a2f1a6942e87b9b58061ed05bb72882cc911a614ca37edbe198fa35ee74e872879b89dfc247e5690e3fff0b1a5983e996

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1.exe

Filesize
8KB

MD5
5462dfa655458c1763911e8929d3131b

SHA1
5f84c3c7c29433816bb4ec79f684d961336567ea

SHA256
59fdb96dff242345fd7a9e86fd8d610fab7020ca5f863b14eea80a7e831e63ee

SHA512
f36140dbb48639714d803cfba2d71b4d8109977db89d361d18c68b83125c87c229f829afa0ceb0df57667c39525d856e387d96e5bfefc5bb4d5f3f52f40fba63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2.exe

Filesize
4KB

MD5
30f17a754e4bf0e53674db1ca01c0466

SHA1
1d2018170905d5c5dc9dfa4867dee7555352de4e

SHA256
ea900648564a32f0b15df4f8e515143cad093ce7346f9ac555ebee456082af67

SHA512
ef198dae7e6ecd5048aa8a255869c5cac597442bfce6236582ec7fcf2f419172693eb522639a9e35475cf29a563d09ee346f1c465641b72fa078b517433e26f4

Download Submit
\Users\Admin\AppData\Local\Temp\check.exe

Filesize
46KB

MD5
2a92fa8b3ca9aaaa15037d9ff779a14b

SHA1
f4e48e15727e42a4353a2aeca1437ceafc38ddf0

SHA256
f1049c44c7bfa055a9392fba800d9701c16e401b9714eb1d4a8efcb55ce89cd1

SHA512
ab8a89ec0018cf1d6818734319b1e4693c2853064b9914713e6021535dd61ede08e8c3c4ed23fafbdf7d262170e13f83a8cc2c4aa3c6fd30fa4773379dd4da51

Download Submit
\Users\Admin\AppData\Local\Temp\check.exe

Filesize
98KB

MD5
d70647afca53562472d4e779e78f9d33

SHA1
976596fafb556e01f926b982fef2bdf26c24a3ab

SHA256
d8bf2e1a66a32fcec14869d4f39683ccb2bfe4d080f4ec68e392a965e1e5111f

SHA512
b57fdb826742ebcf77095665678102cd92efd0cda7afd2720c61f1ee314acb1def3c998ebcd0c824b81a33ea27765cf5a39e22c588406fc15c766fd8224dad95

Download Submit
\Users\Admin\AppData\Local\Temp\check.exe

Filesize
33KB

MD5
d118b78fbb4e67e03536f00f24a1787f

SHA1
c64a30636b09b392cd93f7a50f7c47803c3d9a8e

SHA256
45c65770216e66e99db8acb146a62599702229c6217e597cc4f2b31ccf968d6d

SHA512
01bd1da35dc854ba921f84acb6629a662dc5e1dc1958977842cf351910a98e96a5539dbcc2fdf4b6f018dba848f756defa2d3e88e40002d9936ee573f51c8d45

Download Submit
\Users\Admin\AppData\Local\Temp\check.exe

Filesize
56KB

MD5
dac5d7cf445e4525818fbe6e6942b1c3

SHA1
9c5664a5d4e16e4af80e807b7bcd7e25ff814559

SHA256
d974824881c34e2ac7e338bc362fdf7be424c88ef65504982d021b402d3de916

SHA512
beb34b3e00b072822c7463affa84a42801f0fd75d3d47f4f9f680f80bae1603f7485cd459924c5e8aadcc52106a7576e524789c2de1b0f845bb1296593808106

Download Submit
\Users\Admin\AppData\Local\Temp\check.exe

Filesize
102KB

MD5
f4a380a2041432c921f5b631181d5ba6

SHA1
ff8b5efb660f6adecef0ed7a93f018bd2910a5e5

SHA256
4b264150e1c8d986fc9c6a5f5c32b252f4e1878e5d624578ea1fbf3c9584d385

SHA512
7766222f9e4c970cbeb084445c6ffdcd00251680092d763d0a44075f356624fb5de7a5c14b531767218e53d1ca780547263bde6124ed76fd2e97dc1bc3970dbe

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1.exe

Filesize
42KB

MD5
f9798b8a185d0d38c1b71a412f7d5837

SHA1
ba3a389fd800cc8cce29ce07446be4c89f64714b

SHA256
b5a4f69c775b1613e3a986052e2c6b299f816824cc652e396bb5fe5df5a15fe2

SHA512
f521dc010a85a944cd48035bd224c5cf83281227a049a3bd0dcccb57fe149083b8b8687940d4f79d35c3dd4a326e5552032e391b2eef771251710ed0874d7524

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1.exe

Filesize
29KB

MD5
a9960199e100f6ba6d482327d0c896fa

SHA1
cf5e5a7bac987cc36231cf5ed73a4624faa86aaf

SHA256
8eb4442624a1c1121e3934edbdc132d912414c555aa1a3eea727323e26d2edec

SHA512
733469010911bd1a40d0d19ab3d549e5937f3e0a5b82c40a21113ccf50bc1d006a0fbbd0a1116507e0d3cb899232662b41d78466661620be807c6bbf693a50e2

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1.exe

Filesize
13KB

MD5
694c93e85d282d07e447d9812740ecb1

SHA1
30f29087585e9266724367fa5ded950c8a7fa14c

SHA256
a90010ef84f60645777064043ef70881ae004f70415aff08d984c5a1e2208f44

SHA512
9c6747ce36aeabd2880e1c4624e82608f93f08702de7871fa69a1a4807618d3c4525756be3c05ad1eb6ce20ece804659647f601f8a6c8577f0a387e5790e4aaf

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1.exe

Filesize
15KB

MD5
c2ff641094c9a19ebfeca7272f37a636

SHA1
a54165379b15489245bef31ee8b789f728ab08c2

SHA256
d27ab556f11253ae8524cd0eafb16725505d28bbb036f95df7b91d2ad5230d12

SHA512
75ff08c014990f6d6b21ac36ff18d804bf1c4406befec5633eb301ad92635d440fce17e06e2967f5e7aa68874876684d258b690cca581e1ff293e7fd27f94a66

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1.exe

Filesize
56KB

MD5
358d1e758356efcfc34e6f52585be50a

SHA1
4ea48f0af2d8e642cde6fe1af0b7d84a5522025c

SHA256
35f49f9364323816b713ca9e1d1654c00c03fc3c0908e91cf89a031fd2f8eb0c

SHA512
4a66e4edfcc8c50d402f2c3453c8d18926de9dde65883141584933a4a2b2d5069463652725e8387dad376e6e9b36835351dc3a49969b7fd9ccd7d2bcd352f9c4

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1.exe

Filesize
39KB

MD5
e117cc82223ee78aa8bcbfaf2a45f7f0

SHA1
5a1336a607db1666ef10517398fccf6d9ffc90c6

SHA256
6985456aa860765669beeaf2cfcfea7bba3a4de2d7f4fe69b13019afb850e82c

SHA512
a622da3019c2b92560590b9f1c390444dfa132a4c9e064909104bd0a79fc6573cb01b14474d699d6d5236e2f2e98f4ee13fb02b7e39408c6fbcf1a8c0fbc951b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1.exe

Filesize
45KB

MD5
a69cd6fde4517ea098258c9e7f908a53

SHA1
97bfc2f8b7c0a1d47e5e23cb909ffc9880325d70

SHA256
949b73e48f933bb3966cab8a143151b1ec111e9c9b491d7c5c9c09b9766bef02

SHA512
dea5dbbe8a12a88cdd9eae227c28733d15a3af4f4f7b20fb182050268557d5c2b7881990cd13ca1cb717f6e68e203a274747e0eb5afe2f135c6a362c8f29b508

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1.exe

Filesize
29KB

MD5
3160babd5079b9c386ef02eb2ba88749

SHA1
aeb066b9a33806798ad3b01e6bb3a313529d3841

SHA256
2d7ef76df070596dd85d8daaab87a64f8779f80d2c4c18e46130469f537c7683

SHA512
2b6ddc9c9ea4da5126f40e23a2fa66f64e1296e36ae0acadc9a56066e523b5c362b9eecf4df7487101cca3412b3a989da650b03a68294aa38664c78cdd10c0fe

Download Submit
\Users\Admin\AppData\Local\Temp\tmp2.exe

Filesize
5KB

MD5
86354d136bafc79bf4d09a21787e8ed8

SHA1
79c7526153229d28239a2aa5e4045bb3baf327c0

SHA256
20863aacf1e9afc3f8456da342c9b9f0627571561d60d367ef9d9f6ed15a7c23

SHA512
8d1063b896067247c0b7374f9bd3d20e3d07deecec396bc73b9c52e51451407606f2fcfbf1da27b42123ed4b32bc442a83b177fa226cf50cf60f9c7fe356ec8d

Download Submit
\Users\Admin\AppData\Local\Temp\tmp2.exe

Filesize
7KB

MD5
d3b973e304213e298ba7d26e6999c41b

SHA1
7372d3b2aa64fcbdbae28e35d69e89b55a28ab4e

SHA256
4e6d8a4c922e2104e818e4b75f2cf0418af42d332bcae8a7adceccd32cbb18cf

SHA512
405e615f66ff09bb3bfecd1f8aad4247bf23a3fcecb45196b3c5b2e295022b88bbb29dcdfe01b5afa2356a1db8d1ad4a71d84372f68c20363e300d6f28319128

Download Submit
memory/2200-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2448-36-0x00000000003D0000-0x00000000003E3000-memory.dmp

Filesize
76KB

Download
memory/2448-47-0x00000000003D0000-0x00000000003D3000-memory.dmp

Filesize
12KB

Download
memory/2448-46-0x00000000003D0000-0x00000000003D3000-memory.dmp

Filesize
12KB

Download
memory/2448-37-0x00000000003D0000-0x00000000003E3000-memory.dmp

Filesize
76KB

Download
memory/2608-41-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2608-42-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/2608-65-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2632-49-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2632-53-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2632-54-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2632-66-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download