0d0751833ea29483cfc49a5a1234d93869bc6981eab924afaf5b0c91314c5741

Analysis

max time kernel
4s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 22:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

057675eef0c78a4f47eff70d248b2cda.exe
Size

3.9MB
MD5

057675eef0c78a4f47eff70d248b2cda
SHA1

54c80ff06015457d8a233eee544823c5eb74978a
SHA256

0d0751833ea29483cfc49a5a1234d93869bc6981eab924afaf5b0c91314c5741
SHA512

87d12475253445ca783b9206aff521b1e65d6e9fb664331190ca5d7b9283627ca71e8f09124f0f915dcc654c3d1db375bd8299044ce50a6da22f5ed4782a8e35
SSDEEP

98304:ElzvVRBKgqmW5FcA9zyULG+YFin9PAr+LzKA9zyULG+0Y7+Wp303yA9zyULG+YF4:evV6gDkzLqUhArmPzLqJYrGzzLqUhArp

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
5664	057675eef0c78a4f47eff70d248b2cda.exe

Executes dropped EXE 1 IoCs

pid	Process
5664	057675eef0c78a4f47eff70d248b2cda.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5244-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/files/0x000700000002320f-12.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 18 IoCs

pid	pid_target	Process	procid_target
1436	5664	WerFault.exe
6076	5664	WerFault.exe	31
2744	5664	WerFault.exe	31
6000	5664	WerFault.exe	31
4848	5664	WerFault.exe	31
4108	5664	WerFault.exe	31
804	5664	WerFault.exe	31
2164	5664	WerFault.exe	31
4172	5664	WerFault.exe	31
3096	5664	WerFault.exe	31
2232	5664	WerFault.exe	31
5580	5664	WerFault.exe	31
5324	5664	WerFault.exe	31
2984	5664	WerFault.exe	31
3700	5664	WerFault.exe	31
448	5664	WerFault.exe	31
64	5664	WerFault.exe	31
4760	5664	WerFault.exe	31

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4744	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5244	057675eef0c78a4f47eff70d248b2cda.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
5244	057675eef0c78a4f47eff70d248b2cda.exe
5664	057675eef0c78a4f47eff70d248b2cda.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5244 wrote to memory of 5664	5244	057675eef0c78a4f47eff70d248b2cda.exe	31
PID 5244 wrote to memory of 5664	5244	057675eef0c78a4f47eff70d248b2cda.exe	31
PID 5244 wrote to memory of 5664	5244	057675eef0c78a4f47eff70d248b2cda.exe	31
PID 5664 wrote to memory of 4744	5664	057675eef0c78a4f47eff70d248b2cda.exe	21
PID 5664 wrote to memory of 4744	5664	057675eef0c78a4f47eff70d248b2cda.exe	21
PID 5664 wrote to memory of 4744	5664	057675eef0c78a4f47eff70d248b2cda.exe	21
PID 5664 wrote to memory of 2208	5664	057675eef0c78a4f47eff70d248b2cda.exe	29
PID 5664 wrote to memory of 2208	5664	057675eef0c78a4f47eff70d248b2cda.exe	29
PID 5664 wrote to memory of 2208	5664	057675eef0c78a4f47eff70d248b2cda.exe	29
PID 2208 wrote to memory of 4424	2208	cmd.exe	24
PID 2208 wrote to memory of 4424	2208	cmd.exe	24
PID 2208 wrote to memory of 4424	2208	cmd.exe	24

C:\Users\Admin\AppData\Local\Temp\057675eef0c78a4f47eff70d248b2cda.exe
"C:\Users\Admin\AppData\Local\Temp\057675eef0c78a4f47eff70d248b2cda.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:5244
- C:\Users\Admin\AppData\Local\Temp\057675eef0c78a4f47eff70d248b2cda.exe
  C:\Users\Admin\AppData\Local\Temp\057675eef0c78a4f47eff70d248b2cda.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:5664
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 648
    3⤵
    - Program crash
    PID:6076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 656
    3⤵
    - Program crash
    PID:2744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 732
    3⤵
    - Program crash
    PID:6000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 740
    3⤵
    - Program crash
    PID:4848
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 736
    3⤵
    - Program crash
    PID:4108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 1460
    3⤵
    - Program crash
    PID:804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 1912
    3⤵
    - Program crash
    PID:2164
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 2144
    3⤵
    - Program crash
    PID:4172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 2096
    3⤵
    - Program crash
    PID:3096
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 1928
    3⤵
    - Program crash
    PID:2232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 1980
    3⤵
    - Program crash
    PID:5580
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 2128
    3⤵
    - Program crash
    PID:5324
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 1984
    3⤵
    - Program crash
    PID:2984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 2260
    3⤵
    - Program crash
    PID:3700
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 1992
    3⤵
    - Program crash
    PID:448
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 2132
    3⤵
    - Program crash
    PID:64
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 660
    3⤵
    - Program crash
    PID:4760

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\057675eef0c78a4f47eff70d248b2cda.exe" /TN 0Su7L8S745c1 /F
1⤵
- Creates scheduled task(s)
PID:4744

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN 0Su7L8S745c1
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5664 -ip 5664
1⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 608
1⤵
- Program crash
PID:1436

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c schtasks.exe /Query /XML /TN 0Su7L8S745c1 > C:\Users\Admin\AppData\Local\Temp\qmLgr.xml
1⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5664 -ip 5664
1⤵
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5664 -ip 5664
1⤵
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5664 -ip 5664
1⤵
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5664 -ip 5664
1⤵
PID:5272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5664 -ip 5664
1⤵
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5664 -ip 5664
1⤵
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5664 -ip 5664
1⤵
PID:928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5664 -ip 5664
1⤵
PID:5172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5664 -ip 5664
1⤵
PID:6020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5664 -ip 5664
1⤵
PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5664 -ip 5664
1⤵
PID:5352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5664 -ip 5664
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5664 -ip 5664
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5664 -ip 5664
1⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5664 -ip 5664
1⤵
PID:5496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5664 -ip 5664
1⤵
PID:5628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5664 -ip 5664
1⤵
PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\057675eef0c78a4f47eff70d248b2cda.exe

Filesize
6KB

MD5
1b431c6b749896c98b68f94d329ecda7

SHA1
ff5ff6563c13a0b55df672d6d3b4cee614fd7429

SHA256
c9052669a19de9f85536824f9476b3d37c27955fde83cda4b6efca1d74a7655a

SHA512
ddcf4a1655b7ec92616b589c7192c502a45221b4470f3578376f87ea59d4c6ab69fac8c353a61f4b67fd5e5ac49bad96544995fdf9a3deaed009ef1a1f3e74b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qmLgr.xml

Filesize
1KB

MD5
167014813e557dc006c5b2970ece9e9b

SHA1
4cd5ad3c9b6ddf28b346a7dc1faedc0199af615c

SHA256
e896240fb13b570dfd7be8f0d04067f8021a35a7d2ab9545859c7e6b7c7c2bba

SHA512
0e5a757d3e8fd1536fec26bb1f0ccdddaaafb20a35c5d6d1f1f0daa6dc36ba01eb0b8857cc2e7b44ddb9fbfcd79416d4a9f9a6bb5285c9b871a1fa43743b835c

Download Submit
memory/5244-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/5244-6-0x0000000025050000-0x00000000250CE000-memory.dmp

Filesize
504KB

Download
memory/5244-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/5244-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/5664-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/5664-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5664-22-0x00000000004B0000-0x000000000051B000-memory.dmp

Filesize
428KB

Download
memory/5664-16-0x00000000016F0000-0x000000000176E000-memory.dmp

Filesize
504KB

Download
memory/5664-40-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads