dd91f79b47a46883a74f1fe0c71e3e088c664d6e5a09e462e60018223894806e

Analysis

max time kernel
132s
max time network
135s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18e51d9441df2eef239ef19bf8f88f96.exe
Size

1.9MB
MD5

18e51d9441df2eef239ef19bf8f88f96
SHA1

baee9873d0e75999e472e8871e3cddbd87937b1a
SHA256

dd91f79b47a46883a74f1fe0c71e3e088c664d6e5a09e462e60018223894806e
SHA512

3ab6ab11293f322cf4eb726629f8b53d4033409527fd1a80348bc6ca9b3309fbc981ffbbc9366f8e26b0f335e6fdc6b4b8d1252e0b31c5df75c8aa77891d1fb1
SSDEEP

49152:o7qDgEecSE/bTCH4nsGTfJ1Gh59I/Rk5vH6Y8CLRlDrxT3Axh1TcCGd5sgtGbTs:Uq0IOjmfJOv11yjGd/

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1420	test.exe

Loads dropped DLL 5 IoCs

pid	Process
2332	cmd.exe
2332	cmd.exe
3040	WerFault.exe
3040	WerFault.exe
3040	WerFault.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2400-0-0x0000000000400000-0x0000000000771000-memory.dmp	upx
behavioral1/files/0x00080000000120f8-2.dat	upx
behavioral1/memory/2332-5-0x0000000002060000-0x0000000002159000-memory.dmp	upx
behavioral1/memory/2400-9-0x0000000000400000-0x0000000000771000-memory.dmp	upx
behavioral1/memory/1420-11-0x0000000000400000-0x00000000004F9000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3040	1420	WerFault.exe	30

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2332	2400	18e51d9441df2eef239ef19bf8f88f96.exe	29
PID 2400 wrote to memory of 2332	2400	18e51d9441df2eef239ef19bf8f88f96.exe	29
PID 2400 wrote to memory of 2332	2400	18e51d9441df2eef239ef19bf8f88f96.exe	29
PID 2400 wrote to memory of 2332	2400	18e51d9441df2eef239ef19bf8f88f96.exe	29
PID 2332 wrote to memory of 1420	2332	cmd.exe	30
PID 2332 wrote to memory of 1420	2332	cmd.exe	30
PID 2332 wrote to memory of 1420	2332	cmd.exe	30
PID 2332 wrote to memory of 1420	2332	cmd.exe	30
PID 1420 wrote to memory of 3040	1420	test.exe	32
PID 1420 wrote to memory of 3040	1420	test.exe	32
PID 1420 wrote to memory of 3040	1420	test.exe	32
PID 1420 wrote to memory of 3040	1420	test.exe	32

C:\Users\Admin\AppData\Local\Temp\18e51d9441df2eef239ef19bf8f88f96.exe
"C:\Users\Admin\AppData\Local\Temp\18e51d9441df2eef239ef19bf8f88f96.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c test.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    test.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 1532
      4⤵
      Loads dropped DLL
      Program crash
      PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\test.exe

Filesize
394KB

MD5
fb7a865328b3c02dd06507e74b8d46b9

SHA1
5e3c011acebb08db99759f43702a230275cd6cdd

SHA256
b9905f83103a0f8aa735be1e9ff4cc40564b4712bb294be34516fffcc83311fa

SHA512
6e41352b7ce155bf73c0caa62c2dbea764c50f653b7b71ed46d0e98be68eb09723cbc3f1a1638471df64c6f52e3a6a0524cd698e2d0c6d85e035833284c6652c

Download Submit
memory/1420-8-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1420-11-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1420-13-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2332-5-0x0000000002060000-0x0000000002159000-memory.dmp

Filesize
996KB

Download
memory/2332-7-0x0000000002060000-0x0000000002159000-memory.dmp

Filesize
996KB

Download
memory/2332-10-0x0000000002060000-0x0000000002159000-memory.dmp

Filesize
996KB

Download
memory/2332-12-0x0000000002060000-0x0000000002159000-memory.dmp

Filesize
996KB

Download
memory/2400-0-0x0000000000400000-0x0000000000771000-memory.dmp

Filesize
3.4MB

Download
memory/2400-9-0x0000000000400000-0x0000000000771000-memory.dmp

Filesize
3.4MB

Download