5ba1a570ef21a80f00515d3b71926b4a8632a23717df22fc75b43f39231dcf85

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 23:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4237c0821b2224499264bc9f459114d6.exe
Size

197KB
MD5

4237c0821b2224499264bc9f459114d6
SHA1

99d94f6f2c16048f4af128b40cdf601f740df2eb
SHA256

5ba1a570ef21a80f00515d3b71926b4a8632a23717df22fc75b43f39231dcf85
SHA512

6573a55990f677d1cd31ba42a8a20f85505125ebf640973c40811391a0b13217798ce140726e92dda172e5006acd33d6a6b5aece85764db12e210d515a0d162a
SSDEEP

3072:WwxVMhOC/dTDbq91+mno3t4QZQ3rAHCFFqvpg7811T4R6g+W/32eDgiLnqm28j79:WTfFDbRnOTrAkovpg7uT4c4f2pK92Q79

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1028	install.exe

Loads dropped DLL 9 IoCs

pid	Process
1880	4237c0821b2224499264bc9f459114d6.exe
1028	install.exe
1028	install.exe
1028	install.exe
2368	WerFault.exe
2368	WerFault.exe
2368	WerFault.exe
2368	WerFault.exe
2368	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2368	1028	WerFault.exe	28

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 1028	1880	4237c0821b2224499264bc9f459114d6.exe	28
PID 1880 wrote to memory of 1028	1880	4237c0821b2224499264bc9f459114d6.exe	28
PID 1880 wrote to memory of 1028	1880	4237c0821b2224499264bc9f459114d6.exe	28
PID 1880 wrote to memory of 1028	1880	4237c0821b2224499264bc9f459114d6.exe	28
PID 1880 wrote to memory of 1028	1880	4237c0821b2224499264bc9f459114d6.exe	28
PID 1880 wrote to memory of 1028	1880	4237c0821b2224499264bc9f459114d6.exe	28
PID 1880 wrote to memory of 1028	1880	4237c0821b2224499264bc9f459114d6.exe	28
PID 1028 wrote to memory of 2368	1028	install.exe	29
PID 1028 wrote to memory of 2368	1028	install.exe	29
PID 1028 wrote to memory of 2368	1028	install.exe	29
PID 1028 wrote to memory of 2368	1028	install.exe	29
PID 1028 wrote to memory of 2368	1028	install.exe	29
PID 1028 wrote to memory of 2368	1028	install.exe	29
PID 1028 wrote to memory of 2368	1028	install.exe	29

C:\Users\Admin\AppData\Local\Temp\4237c0821b2224499264bc9f459114d6.exe
"C:\Users\Admin\AppData\Local\Temp\4237c0821b2224499264bc9f459114d6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 256
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe

Filesize
292KB

MD5
67ef30465fa79ac705e1450dbb388a7f

SHA1
19d21f9a87a533966d6d3bc6dad8233b1ac134b7

SHA256
abbe0e90a246623c6c138bffca5eb9d82641c0c0db5a986858134dee3c373242

SHA512
82ae9de8fc458603520f56d62023cd79631af745c4bf91ea9e87f777eefe62aac7c5f9a5093f4115acf28cd21b8742f6bc5314b1583a9ccb54736a3bbed579b9

Download Submit
memory/1880-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download