af88138210801bd32c4f5d0329e5393e5c63e92133631dcef29f8fa605f91dee

Analysis

max time kernel
141s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 19:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

36674456f3cb3df0baba1cd9b62e1d3f.exe
Size

110KB
MD5

36674456f3cb3df0baba1cd9b62e1d3f
SHA1

5b176d91d4f9d56fc1232a338a7cdc0d4fe2e647
SHA256

af88138210801bd32c4f5d0329e5393e5c63e92133631dcef29f8fa605f91dee
SHA512

feb02621f8bad75137407eb5c4dcf429f5f27ed8e6cdb5bd6fda21933548813557d95e8d3d559d791eb4ffca4e0e4ce6a109fce836ce8bbbabcfb1d0be91a2ce
SSDEEP

3072:WNyah0mJ88pkMl3i0qdXqfXhRLDl2ZsUH:WwPAZl09qfXhRLZ2pH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2728	matrix341213.exe

Loads dropped DLL 8 IoCs

pid	Process
2400	36674456f3cb3df0baba1cd9b62e1d3f.exe
2400	36674456f3cb3df0baba1cd9b62e1d3f.exe
2728	matrix341213.exe
2728	matrix341213.exe
2728	matrix341213.exe
1892	WerFault.exe
1892	WerFault.exe
1892	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1892	2728	WerFault.exe	28

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2728	2400	36674456f3cb3df0baba1cd9b62e1d3f.exe	28
PID 2400 wrote to memory of 2728	2400	36674456f3cb3df0baba1cd9b62e1d3f.exe	28
PID 2400 wrote to memory of 2728	2400	36674456f3cb3df0baba1cd9b62e1d3f.exe	28
PID 2400 wrote to memory of 2728	2400	36674456f3cb3df0baba1cd9b62e1d3f.exe	28
PID 2400 wrote to memory of 2728	2400	36674456f3cb3df0baba1cd9b62e1d3f.exe	28
PID 2400 wrote to memory of 2728	2400	36674456f3cb3df0baba1cd9b62e1d3f.exe	28
PID 2400 wrote to memory of 2728	2400	36674456f3cb3df0baba1cd9b62e1d3f.exe	28
PID 2728 wrote to memory of 1892	2728	matrix341213.exe	29
PID 2728 wrote to memory of 1892	2728	matrix341213.exe	29
PID 2728 wrote to memory of 1892	2728	matrix341213.exe	29
PID 2728 wrote to memory of 1892	2728	matrix341213.exe	29
PID 2728 wrote to memory of 1892	2728	matrix341213.exe	29
PID 2728 wrote to memory of 1892	2728	matrix341213.exe	29
PID 2728 wrote to memory of 1892	2728	matrix341213.exe	29

C:\Users\Admin\AppData\Local\Temp\36674456f3cb3df0baba1cd9b62e1d3f.exe
"C:\Users\Admin\AppData\Local\Temp\36674456f3cb3df0baba1cd9b62e1d3f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\matrix341213.exe
  C:\Users\Admin\AppData\Local\Temp\matrix341213.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 256
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\matrix341213.exe

Filesize
64KB

MD5
a97f79296af28bf2480e1b4a994d9628

SHA1
968eaf33cdfcd25a6d23d9c46669aa9fd60d8623

SHA256
73b8672b4e46bc3d774d017086f9ab6296ca8d85871b1b4660d8ec7c3bae4b54

SHA512
73cb49ef1700152b2b704b5e05a18c84ed8588eac537160bdcaea2f170a348007e7862944aa65659a1129a034ac9661a7c6ea89483861becf0f912b60d74015c

Download Submit
memory/2728-13-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download