Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29-12-2023 21:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0468c7b0d19979c4d8039be61440c745.exe
Resource
win7-20231215-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
0468c7b0d19979c4d8039be61440c745.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
0468c7b0d19979c4d8039be61440c745.exe
-
Size
5.0MB
-
MD5
0468c7b0d19979c4d8039be61440c745
-
SHA1
33b241223665b8693afcf73e9969311d8f18dc9d
-
SHA256
de093935871c78892664b422ff2141d0e8b18e7fa9515d387754042b820faa87
-
SHA512
e8cfb33138143a127c53641b2c55f6168db19645b39f16b02873f175e1b13cc9582f3d322b9ff5bd95191f65a232fb9714cc1b5f5657eaf644e5cdf2ff924ff7
-
SSDEEP
49152:PgWb2n8yIyiVPh74Gzqmf6aGgKqhI8boQhfD6UDvxvykXk1rBsgyegFKvc4clwY:YXrwVegTDm
Score
6/10
Malware Config
Signatures
-
Drops desktop.ini file(s) 4 IoCs
description ioc Process File created \??\c:\$Recycle.Bin\S-1-5-21-3336304223-2978740688-3645194410-1000\desktop.ini 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\$Recycle.Bin\S-1-5-21-3336304223-2978740688-3645194410-1000\desktop.ini 0468c7b0d19979c4d8039be61440c745.exe File created \??\c:\Program Files\desktop.ini 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\desktop.ini 0468c7b0d19979c4d8039be61440c745.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\Microsoft.Win32.Registry.dll 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Threading.dll 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\UIAutomationClient.resources.dll 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\UIAutomationTypes.resources.dll 0468c7b0d19979c4d8039be61440c745.exe File created \??\c:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\PresentationFramework.Aero.dll 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\7-Zip\Lang\tt.txt 0468c7b0d19979c4d8039be61440c745.exe File created \??\c:\Program Files\Common Files\microsoft shared\ink\tpcps.dll 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\UIAutomationProvider.resources.dll 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\System.Windows.Controls.Ribbon.resources.dll 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\UIAutomationProvider.resources.dll 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\Microsoft.VisualBasic.Forms.resources.dll 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\7-Zip\Lang\pl.txt 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\UIAutomationClientSideProviders.dll 0468c7b0d19979c4d8039be61440c745.exe File created \??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationFramework.Aero.dll 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ar.pak 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\jjs.exe 0468c7b0d19979c4d8039be61440c745.exe File created \??\c:\Program Files\Common Files\microsoft shared\ink\ipstr.xml 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ru\System.Windows.Forms.Primitives.resources.dll 0468c7b0d19979c4d8039be61440c745.exe File created \??\c:\Program Files\Internet Explorer\fr-FR\ieinstal.exe.mui 0468c7b0d19979c4d8039be61440c745.exe File created \??\c:\Program Files\Internet Explorer\IEShims.dll 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\7-Zip\Lang\et.txt 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Text.Encoding.CodePages.dll 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Threading.Tasks.dll 0468c7b0d19979c4d8039be61440c745.exe File created \??\c:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\IpsPlugin.dll 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\PresentationFramework.resources.dll 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\PresentationFramework-SystemXmlLinq.dll 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\System.Windows.Forms.Design.resources.dll 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\schemagen.exe 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\clretwrc.dll 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\UIAutomationClient.resources.dll 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\es-ES\tabskb.dll.mui 0468c7b0d19979c4d8039be61440c745.exe File created \??\c:\Program Files\Common Files\microsoft shared\ink\it-IT\InputPersonalization.exe.mui 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\mraut.dll 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\VC\msdia100.dll 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\DenyExport.au 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\WindowsFormsIntegration.resources.dll 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\keytool.exe 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\System.Windows.Forms.Primitives.resources.dll 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-US.pak 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml 0468c7b0d19979c4d8039be61440c745.exe File created \??\c:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\System.Windows.Forms.resources.dll 0468c7b0d19979c4d8039be61440c745.exe File created \??\c:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\it-IT\InputPersonalization.exe.mui 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\PresentationCore.resources.dll 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\ipssve.xml 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.WebSockets.dll 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\System.Windows.Forms.resources.dll 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\UIAutomationProvider.resources.dll 0468c7b0d19979c4d8039be61440c745.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml 0468c7b0d19979c4d8039be61440c745.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2564 3584 WerFault.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\0468c7b0d19979c4d8039be61440c745.exe"C:\Users\Admin\AppData\Local\Temp\0468c7b0d19979c4d8039be61440c745.exe"1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:3584 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 6322⤵
- Program crash
PID:2564
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3584 -ip 35841⤵PID:376
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD52fc0e59577b0c4819303ec5915d0afbf
SHA1bbb8f856942c7aaec3a8ab58aeff47174508e481
SHA25698d2d7f5a87462d773e8b0a0591ed1e7619be16ddbe154e2ee447b5a9499649d
SHA512fe59cf2f450df0ef77874b66f99e58446eb9ac855d48a7ea545d88a7f162341c3e48144e905f8618d2b5c168ac5024869b2828bfc59f9d10a7e03868765cf5ac
-
Filesize
5B
MD5b5b682b742431a52ea8b17c72ad9c572
SHA1326320f469235708c59f678c9a7357dca552d306
SHA25630d9045a9f172208b13161d1f5204e5787e5e07bfbb4f490d0041b03b7f44f76
SHA5124e1bd7cc616b3115baf6be7ebd29fe2d1123bc0f25464865a0cf9207b0344fba70747a5ce6f00e8d9c696881f6db1e12f81736bc748b6f2b60bf84c681a49163