5dff6639858f7ab4850bd64e68be89082b9b6fd4c85deb4b57a1d480ee366b91

Analysis

max time kernel
0s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b804687759fac931ea505771b6a3848.exe
Size

1.2MB
MD5

1b804687759fac931ea505771b6a3848
SHA1

482e272ee3d12972935f4dba69108252c332c05a
SHA256

5dff6639858f7ab4850bd64e68be89082b9b6fd4c85deb4b57a1d480ee366b91
SHA512

e61f782958920d2c490da3373c29e4e6c6f55aa37966708e4871f7e8ddbf4786b7db2bfed9a787f76bc9f763f2bd1a655db6a392dfac2291aed18ddc14150253
SSDEEP

24576:XvgiTlHXPiG7l9pFPVVmL+kLckSvy5gST:UG7TC/gST

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2584	4116	WerFault.exe	109

Kills process with taskkill 1 IoCs

evasion

pid	Process
3456	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\1b804687759fac931ea505771b6a3848.exe
"C:\Users\Admin\AppData\Local\Temp\1b804687759fac931ea505771b6a3848.exe"
1⤵
PID:1272
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q/c coPY /Y "C:\Users\Admin\AppData\Local\Temp\1b804687759fac931ea505771b6a3848.exe" ..\YDFCIX_QgIyI5Y.eXE > nul && stArT ..\yDFCiX_QGIyI5y.eXe -pyaPFapeq0fulbiWQ2BolE & iF "" == "" for %W in ( "C:\Users\Admin\AppData\Local\Temp\1b804687759fac931ea505771b6a3848.exe" ) do taskkill -IM "%~NxW" /F > nUl
  2⤵
  PID:5008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -IM "1b804687759fac931ea505771b6a3848.exe" /F
    3⤵
    - Kills process with taskkill
    PID:3456
- - C:\Users\Admin\AppData\Local\Temp\YDFCIX_QgIyI5Y.eXE
    ..\yDFCiX_QGIyI5y.eXe -pyaPFapeq0fulbiWQ2BolE
    3⤵
    PID:1512

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ecHo vsC:\Users\Admin\AppData\Local\Temp> Z3FO0HKM.w& echo | SeT /p = "MZ" > KGUZN7.Bg & Copy /b /Y KGUZN7.BG+YV5CU.K+ ~VA0F.cSg+ ~VG2BJ.p + rJY9T.F +cQXI.DFZ +8dTJ.PvP + ZdT0GP.uo + JS65L2xT.VWP + 9u91.IE4 + PBMlA.R+ z3FO0hKM.W ..\ABzX9.2d > nuL & dEL /Q *> NuL&stARTregsvr32 ..\ABZX9.2d -u -s
1⤵
PID:4856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>KGUZN7.Bg"
  2⤵
  PID:2380
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 ..\ABZX9.2d -u -s
  2⤵
  PID:1532
- - C:\Users\Admin\AppData\Local\Temp\e5893fe.exe
    "C:\Users\Admin\AppData\Local\Temp\e5893fe.exe"
    3⤵
    PID:4116
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 804
      4⤵
      Program crash
      PID:2584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo "
  2⤵
  PID:3536

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q/c coPY /Y "C:\Users\Admin\AppData\Local\Temp\YDFCIX_QgIyI5Y.eXE" ..\YDFCIX_QgIyI5Y.eXE > nul && stArT ..\yDFCiX_QGIyI5y.eXe -pyaPFapeq0fulbiWQ2BolE & iF "-pyaPFapeq0fulbiWQ2BolE " == "" for %W in ( "C:\Users\Admin\AppData\Local\Temp\YDFCIX_QgIyI5Y.eXE" ) do taskkill -IM "%~NxW" /F > nUl
1⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4116 -ip 4116
1⤵
PID:3280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ABzX9.2d

Filesize
22KB

MD5
66456c546cb086db711ae0fbc3856379

SHA1
df4a2e37eeae46f572472d7d7c0847af2239fca0

SHA256
9572fac4493570c0e10a423154898a5701fd4268784d03b54020befd0d6703ea

SHA512
0e0c9dd5cef6d62638a7795604d1eb36e9e31fe33faab08a5500a7129d5f0e502b2e0c2e6c8b485fa5843710124a29d9b1d70181fb0da3ce962d8a42e9d0f0f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\8dTJ.pvP

Filesize
22KB

MD5
46f678c4eef34b63823fe2fc130f4b6b

SHA1
b263d104974f48623093b3e3f9586d736c2be8fb

SHA256
3cf41ad395c4e16da06936b04d5a32124b135e8524c371988878ec8d1502ed55

SHA512
13acaa64c90813a415979a3944cf6ce96209af70660cb545cacdc574ad52bda58a463f777f7dd61115178a827607b1a52b7e7f8295166a94f62194a7cc947e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\9u91.Ie4

Filesize
1KB

MD5
4e1476cbfc36a5cb46f89698e5ceb02a

SHA1
a6b26097cd264db273ef321ba9954e33a4e6641e

SHA256
98557f77c327e33b24f418d89b8eaca6ede7e0db36ca3594e07c6d79e7112fa6

SHA512
4b7706174a41c3bbdea129c2a278c7ac35b15345ae75fb2e3c788867d5c2d4c66c5b14705d674c7b0d144a3a42be7b1b4775e81d363155d5ab2295ab729fdf5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\JS65L2xT.VWP

Filesize
37KB

MD5
af3e7b5a36f68f7115eca11fa3a18ade

SHA1
8f313a23789f86f96ed17692e1fa37ca04bb7eb6

SHA256
6e4dda5a7453dd2efdf9fc4bf96059d76c5badb52d32723edc3d15917fd5b2a1

SHA512
31c44c0f6dc31ca8e4f3dd5c787e1cf667468872c00dfc823402f431a48c82d8ecbb7a56418bb7b1219d8ccfd840efb16e4172b5e57b9cb5a168ee0c1f72a315

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\KGUZN7.Bg

Filesize
2B

MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\YV5CU.K

Filesize
12KB

MD5
540c31260602d6aee85f8aa053def9fb

SHA1
ce1e2abab9b46443eafefe4754c909febcd4beb5

SHA256
d52052d8820f6b15b8c09e4ab5c11821c1b23bf95a4175ab0ad94c29ab7860cc

SHA512
42c8cb723851fc75f5702fa22d7e4a02209243f8038956f824e10c7006407ff8593f7daee6b85bb5be6148c720e1c64842e06bc7c2a4ee329eb821b4e4bcd683

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\cQXI.DFZ

Filesize
1KB

MD5
4b6e7e798150c099007e26bb2f278d86

SHA1
ecb6bc78774539feeb3b4ae810b225d56c5907f5

SHA256
ea7ab5e36d5bb31ba54f587c1a0ad76b6b6b0745d74448e9cdb0e86f3962734e

SHA512
75184b0b2f1a6931a422c6d125f4b88b75b2cfa2fea99a0c72f3b2ae4ef08fc99b289f06aeb529e391f4cb0a22fb46b6fe24b3bf600c7e9750a3042bfe8876ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\pBmlA.R

Filesize
13KB

MD5
dcca1cdf7f83cb579e46507edd6461ed

SHA1
fe73334c6569fb05788eaf833f2a54c7db7f7c4d

SHA256
c5cb3966dc04dc67dbd4d0c88829de71d453521d111219aabfbebe0e499c5811

SHA512
8440dc46bf89e874506a906737cc32f17f97c11a998bc03677241544e2fa398037124db1ecb2d1a9c227f7df6f27131b003d1fb2b37a0b8b3ccb252e098be043

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\rJY9T.f

Filesize
19KB

MD5
a15d90a224eb4044d21fd5fdd074b779

SHA1
e66b96e51a1b5207d25dbf7c2fd645af350eaf14

SHA256
0f050971586c61890cce59efa6ce5eccb6b013d204a2c1fa2d04c50e403a4233

SHA512
0ebb326a0ce28c87253420f38d9c2809e2478edb287f10caa3e4ba557410806667fa3cbe0845bc4c2b043a3b4d983f3478d7cfa67a514dca5f7bad66e844a53c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\~Va0F.cSg

Filesize
20KB

MD5
049547250b0fcda1413c68c990aea5f8

SHA1
4a09577458c70ad1535e4a7141e527305c99b51e

SHA256
dfe708290fbbb42726a1c576aa624a401ccded4e12d94729be7fe3e46b0c40ef

SHA512
c1a3039197415cb377c5002b3716eca03e7f9a0211e2f4cbb86c36f5f2b2447b1fdf9b2dfc86294ed616b50afec921e7aa36380706682d427498958983ff05d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\~vG2BJ.p

Filesize
16KB

MD5
70ec874828195a89db06c9a6b6d16ca1

SHA1
6cdab27388a24861ad2105f4a6e8a81bbd75b80f

SHA256
576275e64697e0be1d6e728ac93ce1ea6bed1d79d04ea397146a56010ede37c6

SHA512
22d86cd499f946f95c8d378b2af6236b5424aefb41326cf2de3fbd8d603f43c37ed27a5822eb967b63d61a3862600fc5b8cf5e903d6155c3d6d7db951c7ec024

Download Submit
C:\Users\Admin\AppData\Local\Temp\YDFCIX_QgIyI5Y.eXE

Filesize
9KB

MD5
019146b4f60090356ce9e0052a19ea30

SHA1
9b61364853a8452f6154171e957557163a382999

SHA256
d086071afc57544d5e54e1cf04eeaaf283d4670f13aefe6c302426d2351b5278

SHA512
a46fd60f1e04ed4918202726fe8a480b10a5b2bcbd05f826a3db75e3bb6339a400f0b854c9f6c21652de84fdb502ee3690ab5a660ad3ad1f911e8321b527e4c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\YDFCIX_QgIyI5Y.eXE

Filesize
5KB

MD5
f10f669b63f07bdd083715825be4e64a

SHA1
d789a5a00f206ee6b12b45a3e740356f44d0b11d

SHA256
a9a913e7721f6069f76865be6b3187da76d2de35ce7032c3a79e1e8e451d6808

SHA512
1d24dc2bc6d1f1c9b059a72149d6427021345887ba4685238036dc6b10dff84c7f1e5e6f874930095c6a945489a8aaa658a4b6b2995fa022576b394c559c47e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5893fe.exe

Filesize
21KB

MD5
858939a54a0406e5be7220b92b6eb2b3

SHA1
da24c0b6f723a74a8ec59e58c9c0aea3e86b7109

SHA256
a30f30a109cb78d5eb1969f6c13f01a1e0a5f07b7ad8b133f5d2616223c1ce0a

SHA512
8875d1e43ea59314695747796894a2f171e92f7b04024dbc529af1497331489e279cd06ea03061288089d2f07ad437178b9d62f0bae2e16ae0b95c5681569401

Download Submit
memory/1532-44-0x0000000002CC0000-0x0000000002DAD000-memory.dmp

Filesize
948KB

Download
memory/1532-58-0x0000000004180000-0x0000000004211000-memory.dmp

Filesize
580KB

Download
memory/1532-46-0x0000000002F20000-0x0000000002FCC000-memory.dmp

Filesize
688KB

Download
memory/1532-50-0x0000000002FD0000-0x0000000003069000-memory.dmp

Filesize
612KB

Download
memory/1532-47-0x0000000002FD0000-0x0000000003069000-memory.dmp

Filesize
612KB

Download
memory/1532-51-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/1532-55-0x0000000002CC0000-0x0000000002DAD000-memory.dmp

Filesize
948KB

Download
memory/1532-56-0x0000000002FD0000-0x0000000003069000-memory.dmp

Filesize
612KB

Download
memory/1532-57-0x0000000003070000-0x000000000417F000-memory.dmp

Filesize
17.1MB

Download
memory/1532-45-0x0000000002E60000-0x0000000002F12000-memory.dmp

Filesize
712KB

Download
memory/1532-59-0x0000000004220000-0x00000000042AB000-memory.dmp

Filesize
556KB

Download
memory/1532-62-0x0000000004220000-0x00000000042AB000-memory.dmp

Filesize
556KB

Download
memory/1532-64-0x0000000000A50000-0x0000000000A56000-memory.dmp

Filesize
24KB

Download
memory/1532-63-0x0000000000A40000-0x0000000000A44000-memory.dmp

Filesize
16KB

Download
memory/1532-66-0x0000000002E60000-0x0000000002F12000-memory.dmp

Filesize
712KB

Download
memory/1532-43-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/4116-83-0x0000000000600000-0x0000000000608000-memory.dmp

Filesize
32KB

Download
memory/4116-84-0x00000000728C0000-0x0000000073070000-memory.dmp

Filesize
7.7MB

Download
memory/4116-85-0x00000000728C0000-0x0000000073070000-memory.dmp

Filesize
7.7MB

Download