Analysis
-
max time kernel
137s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2023, 20:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0305fc543c6f8ddd04cd2709c16581cf.exe
Resource
win7-20231215-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
0305fc543c6f8ddd04cd2709c16581cf.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
0305fc543c6f8ddd04cd2709c16581cf.exe
-
Size
275KB
-
MD5
0305fc543c6f8ddd04cd2709c16581cf
-
SHA1
2fa754a6b3dd80971c9336c3945fb938690e4d91
-
SHA256
78a7b788fb407ad83ff1eca804d9eb912fab73fd583478f4e165b886c4f200d8
-
SHA512
bb5b185f905d9fd1bec7ac478ed92968ceb8332df7ea21ad66afac06133a79442b94a9d08165d2ca90a14a297439ff4222e18b5beddfe066e1ca19412a4d59e9
-
SSDEEP
3072:ynEOlACIzymfBn7ipFrnCusFPdnEOlACIzymfBn7ipFrnCusFPcnEOlACIzymfBO:wNmft7iTnerNmft7iTnemNmft7iTnek
Score
6/10
Malware Config
Signatures
-
Drops desktop.ini file(s) 4 IoCs
description ioc Process File created \??\c:\$Recycle.Bin\S-1-5-21-3803511929-1339359695-2191195476-1000\desktop.ini 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\$Recycle.Bin\S-1-5-21-3803511929-1339359695-2191195476-1000\desktop.ini 0305fc543c6f8ddd04cd2709c16581cf.exe File created \??\c:\Program Files\desktop.ini 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\desktop.ini 0305fc543c6f8ddd04cd2709c16581cf.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Diagnostics.DiagnosticSource.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-1-0.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-heap-l1-1-0.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\Microsoft.VisualBasic.Forms.resources.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\PresentationFramework.resources.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\Java\jre-1.8\lib\javaws.jar 0305fc543c6f8ddd04cd2709c16581cf.exe File created \??\c:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Reflection.Emit.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File created \??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml 0305fc543c6f8ddd04cd2709c16581cf.exe File created \??\c:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\Microsoft.NETCore.App.deps.json 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-phn.xrm-ms 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui 0305fc543c6f8ddd04cd2709c16581cf.exe File created \??\c:\Program Files\Internet Explorer\es-ES\ieinstal.exe.mui 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\Microsoft.VisualBasic.Forms.resources.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File created \??\c:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui 0305fc543c6f8ddd04cd2709c16581cf.exe File created \??\c:\Program Files\Common Files\microsoft shared\ink\it-IT\tabskb.dll.mui 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul-oob.xrm-ms 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pl\UIAutomationClientSideProviders.resources.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-stdio-l1-1-0.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\WindowsBase.resources.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\UIAutomationTypes.resources.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\WindowsBase.resources.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\legal\javafx\jpeg_fx.md 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\vcruntime140_1.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Memory.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\PresentationCore.resources.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.IO.Pipes.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Data.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Resources.Reader.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\System.Windows.Controls.Ribbon.resources.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ru\UIAutomationProvider.resources.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.access 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\legal\jdk\cryptix.md 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\legal\jdk\jcup.md 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\UIAutomationTypes.resources.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Collections.Immutable.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\bin\server\Xusage.txt 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\lib\security\blacklist 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationFramework.Aero.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Windows.Input.Manipulations.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\WindowsBase.resources.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\local_policy.jar 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\legal\javafx\gstreamer.md 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Corbel.xml 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Security.AccessControl.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File created \??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Xml.ReaderWriter.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\UIAutomationProvider.resources.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\Java\jre-1.8\legal\javafx\directshow.md 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\fr-FR\mshwLatin.dll.mui 0305fc543c6f8ddd04cd2709c16581cf.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationFramework.AeroLite.dll 0305fc543c6f8ddd04cd2709c16581cf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1908 3476 WerFault.exe 67
Processes
-
C:\Users\Admin\AppData\Local\Temp\0305fc543c6f8ddd04cd2709c16581cf.exe"C:\Users\Admin\AppData\Local\Temp\0305fc543c6f8ddd04cd2709c16581cf.exe"1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:3476 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 8882⤵
- Program crash
PID:1908
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3476 -ip 34761⤵PID:3144
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
388KB
MD54ec3fc0aaebffd0216a4f0da5387311d
SHA1facf1483b78ddc219ef69c8c32263065526e366d
SHA256c3df56918d74f4b54ba2c31f1ba341374421fa8be262d1a1a7f501f07d14733c
SHA5124b933ffa229df2b26af8569d86be6a500579c0b49e7fc9db77138df6ecc3275ed20d055edabce2839adbe76a05ddf948d5b2df743fca3c71c0aba21c6371f40f
-
Filesize
5B
MD5b5b682b742431a52ea8b17c72ad9c572
SHA1326320f469235708c59f678c9a7357dca552d306
SHA25630d9045a9f172208b13161d1f5204e5787e5e07bfbb4f490d0041b03b7f44f76
SHA5124e1bd7cc616b3115baf6be7ebd29fe2d1123bc0f25464865a0cf9207b0344fba70747a5ce6f00e8d9c696881f6db1e12f81736bc748b6f2b60bf84c681a49163