583d5c6046321fc208d546c9aa68e4d7d9069964df38663a10a9ee009b113264

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 11:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6ab41c50ff605e6191ad9525b1c5e87e.exe
Size

1.9MB
MD5

6ab41c50ff605e6191ad9525b1c5e87e
SHA1

df71e159477b7d7678587a157cbcd6e272983cd9
SHA256

583d5c6046321fc208d546c9aa68e4d7d9069964df38663a10a9ee009b113264
SHA512

0eea95d1f78045dc19baabcd6b260b1e11c52903f3326c95d520339f60b878fbbe758c63518e0750f99ac7421ebfc2145b378c5258be8a34bd7a0507fa90b1fd
SSDEEP

49152:y7qDgEecSE/bTCH4nsGTfJ1Gh59I/Rk5vH6Y8CLRlDrxT3Axh1TcCGd5sgtGbTs:yq0IOjmfJOv11yjGd/

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3276	test.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3864-0-0x0000000000400000-0x0000000000771000-memory.dmp	upx
behavioral2/files/0x00090000000231fb-4.dat	upx
behavioral2/memory/3276-5-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
behavioral2/memory/3276-8-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
behavioral2/memory/3864-7-0x0000000000400000-0x0000000000771000-memory.dmp	upx
behavioral2/memory/3864-22-0x0000000000400000-0x0000000000771000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4616	3276	WerFault.exe	18

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3864 wrote to memory of 3680	3864	6ab41c50ff605e6191ad9525b1c5e87e.exe	16
PID 3864 wrote to memory of 3680	3864	6ab41c50ff605e6191ad9525b1c5e87e.exe	16
PID 3864 wrote to memory of 3680	3864	6ab41c50ff605e6191ad9525b1c5e87e.exe	16
PID 3680 wrote to memory of 3276	3680	cmd.exe	18
PID 3680 wrote to memory of 3276	3680	cmd.exe	18
PID 3680 wrote to memory of 3276	3680	cmd.exe	18

C:\Users\Admin\AppData\Local\Temp\6ab41c50ff605e6191ad9525b1c5e87e.exe
"C:\Users\Admin\AppData\Local\Temp\6ab41c50ff605e6191ad9525b1c5e87e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c test.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    test.exe
    3⤵
    - Executes dropped EXE
    PID:3276
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 1968
      4⤵
      Program crash
      PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 3276 -ip 3276
1⤵
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
394KB

MD5
fb7a865328b3c02dd06507e74b8d46b9

SHA1
5e3c011acebb08db99759f43702a230275cd6cdd

SHA256
b9905f83103a0f8aa735be1e9ff4cc40564b4712bb294be34516fffcc83311fa

SHA512
6e41352b7ce155bf73c0caa62c2dbea764c50f653b7b71ed46d0e98be68eb09723cbc3f1a1638471df64c6f52e3a6a0524cd698e2d0c6d85e035833284c6652c

Download Submit
memory/3276-5-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3276-6-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/3276-8-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3276-20-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/3864-0-0x0000000000400000-0x0000000000771000-memory.dmp

Filesize
3.4MB

Download
memory/3864-7-0x0000000000400000-0x0000000000771000-memory.dmp

Filesize
3.4MB

Download
memory/3864-22-0x0000000000400000-0x0000000000771000-memory.dmp

Filesize
3.4MB

Download