Overview

overview

10

Static

static

3

38e9310309...bd.exe

windows7-x64

10

38e9310309...bd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 19:43

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    38e93103093d97b7dd1524cdb0e41dbd.exe

  • Size

    254KB

  • MD5

    38e93103093d97b7dd1524cdb0e41dbd

  • SHA1

    bb3f6553dfceaa1f52ebf24b15bbac6dc2257966

  • SHA256

    15af6b1bb41f227bd7f79870c8e572f92dc85a8cc0b083b8cc3057819ef68722

  • SHA512

    70d0cc2a33476a7c049a179cd4684cacd8d7d33371b974e71a1c5c3a52b961fc807bccd179a91d2e6164b6aeab6232225952667cc1c186fbcc8516d1bf2d72b0

  • SSDEEP

    6144:DQuX/N+zUuoHIjIduBGFIxMe3axVbkHVr:dX7YjWSdPd

Score
10/10
evasion

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\38e93103093d97b7dd1524cdb0e41dbd.exe
    "C:\Users\Admin\AppData\Local\Temp\38e93103093d97b7dd1524cdb0e41dbd.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:4076
    • C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      PID:2196
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 740
        3⤵
        • Program crash
        PID:5988
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2196 -ip 2196
    1⤵
      PID:5084

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\tazebama.dl_
            Filesize

            157KB

            MD5

            0c2f1ff4bc82e3997245aec9e4e21e36

            SHA1

            5095c462b094f19ce6bf51b077d9c7a0c2b593cb

            SHA256

            6dd7cac8bece4a402d542af561df39b87d05ef8f4dd4306b934b6504bf4b1194

            SHA512

            b680a37711df37d1b66332ab04d397d4a1eabbd4ef62566b8c5f7f38e3a087caad36ffafe96b3cff9817b4eaaf98e8813dd53e45b9f2d947bc0941c5135d2eca

            Download Submit

          • C:\Users\tazebama.dll
            Filesize

            32KB

            MD5

            b6a03576e595afacb37ada2f1d5a0529

            SHA1

            d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

            SHA256

            1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

            SHA512

            181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

            Download Submit

          • C:\autorun.inf
            Filesize

            126B

            MD5

            163e20cbccefcdd42f46e43a94173c46

            SHA1

            4c7b5048e8608e2a75799e00ecf1bbb4773279ae

            SHA256

            7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

            SHA512

            e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

            Download Submit

          • C:\zPharaoh.exe
            Filesize

            157KB

            MD5

            9f637c1b3e608ac39f85c6a18f0bb6a8

            SHA1

            04e9f1eaf2c5882d160c811f917be365273805f9

            SHA256

            0d063da7582d8a035ede0f2ebc870a77626662af83fc9206b882425cf8e0a311

            SHA512

            1e937b3c3779ecda2d0e836f551a9a5ba3fcd2a3c7c5e40aff7ad652744e97bd265a4048ba0a63f07fa3e226f95d646cce64db7ac26037760d626761fffa4d75

            Download Submit

          • C:\zPharaoh.exe
            Filesize

            157KB

            MD5

            b2d09b035fc98219c03f4587ebefdd84

            SHA1

            d2b4af3759474261dc637005b8bd49cf35ed0989

            SHA256

            97ca518d009e4f56a1c29466f89e3828b04ecb05a50ae0f336d094fc60cb009d

            SHA512

            164247a2c1a10ef277e2b3a286b20cbc465083d1256f46eaaaf3416527513f1f0a05f877e60cb5246be499adda8e4fcb0f3fa7a1d7ade19ff5c45d01932be2ea

            Download Submit

          • memory/2196-12-0x0000000000400000-0x0000000000418000-memory.dmp

            Filesize

            96KB

            Download

          • memory/2196-40-0x0000000000400000-0x0000000000418000-memory.dmp

            Filesize

            96KB

            Download

          • memory/4076-0-0x0000000000400000-0x000000000041A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/4076-7-0x0000000000400000-0x000000000041A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/4076-11-0x0000000000400000-0x000000000041A000-memory.dmp

            Filesize

            104KB

            Download