3a09e2b50c089eb7e0267749a325d8b5296033f8f31ce1a3f640e6da54a29992

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29dd0db15779ffb863345c54fd1709a7.exe
Size

361KB
MD5

29dd0db15779ffb863345c54fd1709a7
SHA1

1128ffb1bf60cfdffd2f9a6e05d99fd6ee4c425c
SHA256

3a09e2b50c089eb7e0267749a325d8b5296033f8f31ce1a3f640e6da54a29992
SHA512

33cc592b89ad6f8c45bf9ba91d67f16d5b1111a01dea68287c9c11aad3825d438e85a73ee7a6f58e83523127de4a20c74607c2af35c96c2d86f1beb859ea56af
SSDEEP

6144:cbeDLwwWFCARMB/6PbAkqxSCHg+bEDHH1j/A5Wd81Fap8UvqALK5bFOt+F4gLX63:j4wWFCA6BBkqxSC3byjQWL8MqAKcIjiP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2892	Mail.ru patch_v1b.exe

Loads dropped DLL 8 IoCs

pid	Process
1056	29dd0db15779ffb863345c54fd1709a7.exe
2892	Mail.ru patch_v1b.exe
2892	Mail.ru patch_v1b.exe
2892	Mail.ru patch_v1b.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2764	2892	WerFault.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2164	DllHost.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 2892	1056	29dd0db15779ffb863345c54fd1709a7.exe	19
PID 1056 wrote to memory of 2892	1056	29dd0db15779ffb863345c54fd1709a7.exe	19
PID 1056 wrote to memory of 2892	1056	29dd0db15779ffb863345c54fd1709a7.exe	19
PID 1056 wrote to memory of 2892	1056	29dd0db15779ffb863345c54fd1709a7.exe	19
PID 1056 wrote to memory of 2892	1056	29dd0db15779ffb863345c54fd1709a7.exe	19
PID 1056 wrote to memory of 2892	1056	29dd0db15779ffb863345c54fd1709a7.exe	19
PID 1056 wrote to memory of 2892	1056	29dd0db15779ffb863345c54fd1709a7.exe	19
PID 2892 wrote to memory of 2764	2892	Mail.ru patch_v1b.exe	18
PID 2892 wrote to memory of 2764	2892	Mail.ru patch_v1b.exe	18
PID 2892 wrote to memory of 2764	2892	Mail.ru patch_v1b.exe	18
PID 2892 wrote to memory of 2764	2892	Mail.ru patch_v1b.exe	18
PID 2892 wrote to memory of 2764	2892	Mail.ru patch_v1b.exe	18
PID 2892 wrote to memory of 2764	2892	Mail.ru patch_v1b.exe	18
PID 2892 wrote to memory of 2764	2892	Mail.ru patch_v1b.exe	18

C:\Users\Admin\AppData\Local\Temp\29dd0db15779ffb863345c54fd1709a7.exe
"C:\Users\Admin\AppData\Local\Temp\29dd0db15779ffb863345c54fd1709a7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Users\Admin\AppData\Local\Temp\Mail.ru patch_v1b.exe
  "C:\Users\Admin\AppData\Local\Temp\Mail.ru patch_v1b.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2892

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 252
1⤵
- Loads dropped DLL
- Program crash
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Mail.ru patch_v1b.exe

Filesize
230KB

MD5
0394f345e5571993994bff85dbac37ac

SHA1
1c74c54022b6b51fc76a71c067c207d3fe1d5143

SHA256
1f4c3cb142ba89469ec47b5bdece98562c46e983929c3527862026386a2df484

SHA512
dbed4bb587c99dd7a82d5b5bbc3cb92285cd176b01704ad2b5621b66b26b42a5f332527cb4b8ce11f56eec042504cecc53b641cd835351c2e35b089346657a81

Download Submit
memory/1056-1-0x00000000029C0000-0x00000000029C2000-memory.dmp

Filesize
8KB

Download
memory/2164-5-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2164-2-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2164-21-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download