dd91f79b47a46883a74f1fe0c71e3e088c664d6e5a09e462e60018223894806e

Analysis

max time kernel
165s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18e51d9441df2eef239ef19bf8f88f96.exe
Size

1.9MB
MD5

18e51d9441df2eef239ef19bf8f88f96
SHA1

baee9873d0e75999e472e8871e3cddbd87937b1a
SHA256

dd91f79b47a46883a74f1fe0c71e3e088c664d6e5a09e462e60018223894806e
SHA512

3ab6ab11293f322cf4eb726629f8b53d4033409527fd1a80348bc6ca9b3309fbc981ffbbc9366f8e26b0f335e6fdc6b4b8d1252e0b31c5df75c8aa77891d1fb1
SSDEEP

49152:o7qDgEecSE/bTCH4nsGTfJ1Gh59I/Rk5vH6Y8CLRlDrxT3Axh1TcCGd5sgtGbTs:Uq0IOjmfJOv11yjGd/

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4544	test.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4244-0-0x0000000000400000-0x0000000000771000-memory.dmp	upx
behavioral2/files/0x0007000000023222-4.dat	upx
behavioral2/memory/4544-5-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
behavioral2/memory/4244-7-0x0000000000400000-0x0000000000771000-memory.dmp	upx
behavioral2/memory/4544-8-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
behavioral2/memory/4244-26-0x0000000000400000-0x0000000000771000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4048	4544	WerFault.exe	91

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 4116	4244	18e51d9441df2eef239ef19bf8f88f96.exe	90
PID 4244 wrote to memory of 4116	4244	18e51d9441df2eef239ef19bf8f88f96.exe	90
PID 4244 wrote to memory of 4116	4244	18e51d9441df2eef239ef19bf8f88f96.exe	90
PID 4116 wrote to memory of 4544	4116	cmd.exe	91
PID 4116 wrote to memory of 4544	4116	cmd.exe	91
PID 4116 wrote to memory of 4544	4116	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\18e51d9441df2eef239ef19bf8f88f96.exe
"C:\Users\Admin\AppData\Local\Temp\18e51d9441df2eef239ef19bf8f88f96.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c test.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    test.exe
    3⤵
    - Executes dropped EXE
    PID:4544
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 1976
      4⤵
      Program crash
      PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4544 -ip 4544
1⤵
PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
394KB

MD5
fb7a865328b3c02dd06507e74b8d46b9

SHA1
5e3c011acebb08db99759f43702a230275cd6cdd

SHA256
b9905f83103a0f8aa735be1e9ff4cc40564b4712bb294be34516fffcc83311fa

SHA512
6e41352b7ce155bf73c0caa62c2dbea764c50f653b7b71ed46d0e98be68eb09723cbc3f1a1638471df64c6f52e3a6a0524cd698e2d0c6d85e035833284c6652c

Download Submit
memory/4244-0-0x0000000000400000-0x0000000000771000-memory.dmp

Filesize
3.4MB

Download
memory/4244-7-0x0000000000400000-0x0000000000771000-memory.dmp

Filesize
3.4MB

Download
memory/4244-26-0x0000000000400000-0x0000000000771000-memory.dmp

Filesize
3.4MB

Download
memory/4544-5-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/4544-6-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/4544-8-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/4544-11-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download