ce88ae107edb20b1ca74f4859728f03bde8a85eefa4fca0cc5cdfa5214caf86e

Analysis

max time kernel
148s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/12/2023, 22:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fb640d94d7e8831d5d8392f0bbf57046.exe
Size

139KB
MD5

fb640d94d7e8831d5d8392f0bbf57046
SHA1

65767cdafa762051377b41de63ccb87fbc060d4d
SHA256

ce88ae107edb20b1ca74f4859728f03bde8a85eefa4fca0cc5cdfa5214caf86e
SHA512

a750e5faca06c1d02ba30bdba564a620d3d547676cc697a92ece3e7fb50586192416b05d440118d3b42202637c04946d57790399d4bbccffd20124cf29587422
SSDEEP

1536:aaqR4ON/tQi99rtuUXKIs4/18bz/uf3YTpIPzo6TtxY9UzGbreOTeY+TGx7Wac/w:a2i99xNKkOzyIT2PzfTyRSO5+TyiacY

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-768304381-2824894965-3840216961-1000\desktop.ini	fb640d94d7e8831d5d8392f0bbf57046.exe
File created	\??\c:\Program Files\desktop.ini	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\desktop.ini	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	fb640d94d7e8831d5d8392f0bbf57046.exe
File created	\??\c:\$Recycle.Bin\S-1-5-21-768304381-2824894965-3840216961-1000\desktop.ini	fb640d94d7e8831d5d8392f0bbf57046.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.Http.dll	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.Serialization.Formatters.dll	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\UIAutomationClient.resources.dll	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\dtplugin\npdeployJava1.dll	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-pl.xrm-ms	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-oob.xrm-ms	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-pl.xrm-ms	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ppd.xrm-ms	fb640d94d7e8831d5d8392f0bbf57046.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.IO.Packaging.dll	fb640d94d7e8831d5d8392f0bbf57046.exe
File created	\??\c:\Program Files\Internet Explorer\ExtExport.exe	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-oob.xrm-ms	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXC	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\InkDiv.dll	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-memory-l1-1-0.dll	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.IO.MemoryMappedFiles.dll	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\System.Windows.Controls.Ribbon.resources.dll	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ru\WindowsFormsIntegration.resources.dll	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ppd.xrm-ms	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ppd.xrm-ms	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ppd.xrm-ms	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\offsymxl.ttf	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Common Files\System\msadc\msaddsr.dll	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Threading.AccessControl.dll	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ul-oob.xrm-ms	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\UIAutomationProvider.resources.dll	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\es\System.Windows.Forms.resources.dll	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\PresentationUI.resources.dll	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\System.Windows.Forms.resources.dll	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\jawt.dll	fb640d94d7e8831d5d8392f0bbf57046.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pt-BR\System.Windows.Input.Manipulations.resources.dll	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ppd.xrm-ms	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-pl.xrm-ms	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ppd.xrm-ms	fb640d94d7e8831d5d8392f0bbf57046.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\api-ms-win-core-profile-l1-1-0.dll	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\lib\deploy\messages_sv.properties	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll	fb640d94d7e8831d5d8392f0bbf57046.exe
File created	\??\c:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Collections.dll	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\lib\management-agent.jar	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml	fb640d94d7e8831d5d8392f0bbf57046.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\dt_socket.dll	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\lib\plugin.jar	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-phn.xrm-ms	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoBeta.png	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md	fb640d94d7e8831d5d8392f0bbf57046.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PenImc_cor3.dll	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ul-oob.xrm-ms	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Formats.Asn1.dll	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\System.Windows.Forms.Primitives.resources.dll	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\COPYRIGHT	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.access	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ul-oob.xrm-ms	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\System.Windows.Forms.Primitives.resources.dll	fb640d94d7e8831d5d8392f0bbf57046.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\LICENSE	fb640d94d7e8831d5d8392f0bbf57046.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1176	1360	WerFault.exe	14

C:\Users\Admin\AppData\Local\Temp\fb640d94d7e8831d5d8392f0bbf57046.exe
"C:\Users\Admin\AppData\Local\Temp\fb640d94d7e8831d5d8392f0bbf57046.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:1360
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 800
  2⤵
  - Program crash
  PID:1176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1360 -ip 1360
1⤵
PID:636

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.chm

Filesize
252KB

MD5
689c5b8c4e3bb28125fd09bb9591eb76

SHA1
15d34e97353bfe2b44a2b91adee64feee9e31887

SHA256
21498c8d21f746f4da05ebdc679ad2fbcc3c5c1b03b9e40b611e9b6173f94e43

SHA512
af72f6e918fbd8b1f909311fed6d70e2e9c831f732b9b7733e3f48eefbb1bab17a55ba926f132b4deaf3c564499af6bc9c91fabc7f3ab35f7178b25d405e1489

Download Submit
C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms

Filesize
5B

MD5
b5b682b742431a52ea8b17c72ad9c572

SHA1
326320f469235708c59f678c9a7357dca552d306

SHA256
30d9045a9f172208b13161d1f5204e5787e5e07bfbb4f490d0041b03b7f44f76

SHA512
4e1bd7cc616b3115baf6be7ebd29fe2d1123bc0f25464865a0cf9207b0344fba70747a5ce6f00e8d9c696881f6db1e12f81736bc748b6f2b60bf84c681a49163

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK

Filesize
119B

MD5
da7c482f5358bd9da5bbfe76e3447a8e

SHA1
dc0e0a748e790dc04133c65b52cd69b1676bd9c2

SHA256
4a4c9f290dadb6052556670faf60e07f0cc3c6f5a7b478d2da2234be8ea5508b

SHA512
e9bb5f64535ebed8a4f38bc4144b3dc4dedcf6a3010a87a0cfa2306fbdc5ce8d3e9fd00ad9ae019548b3085edca33283c507325a6c484f66b484778a035878bc

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK

Filesize
118B

MD5
805ae32d41bd54cee2613872031b2c20

SHA1
5c2201ef44d4c345c2ad40bf67c3cb5f17509bad

SHA256
641723ac1f2a767466006fb811f8140370ef9f2904398ee77f160c0e7bda7ba0

SHA512
a40328c1800ff312c79e873b9cdc1cc8fd4b61629fcf379257401b167c45fa53c3a019eb1bc6fb55ae8e9e74b9ad8e226163d75918f564e787f57696670688b0

Download Submit
memory/1360-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1360-3501-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads