8cd5810dd907bfe0437d01adf729f701999d0a9e44abcaa33cde2cfd26626299

Analysis

max time kernel
152s
max time network
135s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f00d67fa0b470adf0704518c8ca61e5.exe
Size

1.0MB
MD5

1f00d67fa0b470adf0704518c8ca61e5
SHA1

38b47ed137212ab6d65faa378024a34caf0aec12
SHA256

8cd5810dd907bfe0437d01adf729f701999d0a9e44abcaa33cde2cfd26626299
SHA512

e7a49eac898cc1ac107f861aec0c66cf5f359787908041c38875424a923bc7d004a80cc625686625839cdfc80f6e31110fcafa8ec9251e58c02eb4fd2781f759
SSDEEP

24576:6CAfOybvu2/ldJK62tfNHtA6vijfbyUmfeW+yPTF+:2G2u2/fJK6eO6KjDO3o

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2664	a12840.exe
2788	a44880.exe
2940	is-T62HS.tmp
2564	a23258.exe
2100	a76960.exe

Loads dropped DLL 14 IoCs

pid	Process
2500	1f00d67fa0b470adf0704518c8ca61e5.exe
2500	1f00d67fa0b470adf0704518c8ca61e5.exe
2664	a12840.exe
2500	1f00d67fa0b470adf0704518c8ca61e5.exe
2500	1f00d67fa0b470adf0704518c8ca61e5.exe
2500	1f00d67fa0b470adf0704518c8ca61e5.exe
2500	1f00d67fa0b470adf0704518c8ca61e5.exe
2500	1f00d67fa0b470adf0704518c8ca61e5.exe
2672	WerFault.exe
2672	WerFault.exe
2672	WerFault.exe
2940	is-T62HS.tmp
2940	is-T62HS.tmp
2672	WerFault.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2500-0-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2500-45-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2672	2788	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2940	is-T62HS.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2100	a76960.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2664	2500	1f00d67fa0b470adf0704518c8ca61e5.exe	28
PID 2500 wrote to memory of 2664	2500	1f00d67fa0b470adf0704518c8ca61e5.exe	28
PID 2500 wrote to memory of 2664	2500	1f00d67fa0b470adf0704518c8ca61e5.exe	28
PID 2500 wrote to memory of 2664	2500	1f00d67fa0b470adf0704518c8ca61e5.exe	28
PID 2500 wrote to memory of 2664	2500	1f00d67fa0b470adf0704518c8ca61e5.exe	28
PID 2500 wrote to memory of 2664	2500	1f00d67fa0b470adf0704518c8ca61e5.exe	28
PID 2500 wrote to memory of 2664	2500	1f00d67fa0b470adf0704518c8ca61e5.exe	28
PID 2500 wrote to memory of 2788	2500	1f00d67fa0b470adf0704518c8ca61e5.exe	33
PID 2500 wrote to memory of 2788	2500	1f00d67fa0b470adf0704518c8ca61e5.exe	33
PID 2500 wrote to memory of 2788	2500	1f00d67fa0b470adf0704518c8ca61e5.exe	33
PID 2500 wrote to memory of 2788	2500	1f00d67fa0b470adf0704518c8ca61e5.exe	33
PID 2664 wrote to memory of 2940	2664	a12840.exe	32
PID 2664 wrote to memory of 2940	2664	a12840.exe	32
PID 2664 wrote to memory of 2940	2664	a12840.exe	32
PID 2664 wrote to memory of 2940	2664	a12840.exe	32
PID 2664 wrote to memory of 2940	2664	a12840.exe	32
PID 2664 wrote to memory of 2940	2664	a12840.exe	32
PID 2664 wrote to memory of 2940	2664	a12840.exe	32
PID 2500 wrote to memory of 2564	2500	1f00d67fa0b470adf0704518c8ca61e5.exe	31
PID 2500 wrote to memory of 2564	2500	1f00d67fa0b470adf0704518c8ca61e5.exe	31
PID 2500 wrote to memory of 2564	2500	1f00d67fa0b470adf0704518c8ca61e5.exe	31
PID 2500 wrote to memory of 2564	2500	1f00d67fa0b470adf0704518c8ca61e5.exe	31
PID 2788 wrote to memory of 2672	2788	a44880.exe	30
PID 2788 wrote to memory of 2672	2788	a44880.exe	30
PID 2788 wrote to memory of 2672	2788	a44880.exe	30
PID 2788 wrote to memory of 2672	2788	a44880.exe	30
PID 2500 wrote to memory of 2100	2500	1f00d67fa0b470adf0704518c8ca61e5.exe	29
PID 2500 wrote to memory of 2100	2500	1f00d67fa0b470adf0704518c8ca61e5.exe	29
PID 2500 wrote to memory of 2100	2500	1f00d67fa0b470adf0704518c8ca61e5.exe	29
PID 2500 wrote to memory of 2100	2500	1f00d67fa0b470adf0704518c8ca61e5.exe	29

C:\Users\Admin\AppData\Local\Temp\1f00d67fa0b470adf0704518c8ca61e5.exe
"C:\Users\Admin\AppData\Local\Temp\1f00d67fa0b470adf0704518c8ca61e5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Users\Admin\AppData\Local\Temp\a12840.exe
  "C:\Users\Admin\AppData\Local\Temp\a12840.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\is-DM6HP.tmp\is-T62HS.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-DM6HP.tmp\is-T62HS.tmp" /SL4 $6011E "C:\Users\Admin\AppData\Local\Temp\a12840.exe" 704430 52736
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2940
- C:\Users\Admin\AppData\Local\Temp\a76960.exe
  "C:\Users\Admin\AppData\Local\Temp\a76960.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2100
- C:\Users\Admin\AppData\Local\Temp\a23258.exe
  "C:\Users\Admin\AppData\Local\Temp\a23258.exe"
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Users\Admin\AppData\Local\Temp\a44880.exe
  "C:\Users\Admin\AppData\Local\Temp\a44880.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 120
1⤵
- Loads dropped DLL
- Program crash
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a12840.exe

Filesize
307KB

MD5
5e8c322f705a77c71fc0afed147671e4

SHA1
07c02a3d47f894a552daa0ca4b0a75a08aa18641

SHA256
e3cfa3f9af2d171789ebfb3c74d16a9e271a5435286a87f17bd9267e1fa6132c

SHA512
588b6d37316d45b78d0c69a53efa9e8893047a0507342b64d191163c33a8ae605682752d7dc18127c614dc7cf15153d8d6b7952c8f6b49fc4007cd146c70e6cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a12840.exe

Filesize
274KB

MD5
a8e408686d51d43fcbee0ea31d4fdb64

SHA1
f0383c3c38545d81f68225297da4e306f324220f

SHA256
03a39483ae7506fedc4f341461e965563da812b414731c8bfd939fd0f4e4d03f

SHA512
481777f0e00e1d427a76e3216b687c1085d0873e98bc987265912e78ba5fe8df8a465a0d6c3026f097830bdf11e82488622a49fc58f66c245590f7dadcce1c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\a23258.exe

Filesize
5KB

MD5
3c950a3f25abac15b25e29091a4aca2a

SHA1
e0a392c71e0e3482a531fd53569d91451e2ed4e1

SHA256
a43fe8099890d4bd5533659f5533fc1f81ab4da29960a0830f62d33a4e295ab6

SHA512
c7a6512185aca8ac3b56bf81dbcb9aea51aded197ee8dc6e9ba0e39092b80837017d583b75a0854760b61cc6abc4f23b3041f5c1726f71007024a743d10ca932

Download Submit
C:\Users\Admin\AppData\Local\Temp\a76960.exe

Filesize
9KB

MD5
528857f047cff45451bff694507c3deb

SHA1
85b43fa3d6cf4977b3f86518879ce42799c92e67

SHA256
c0320656cb1e798238cc0bc7071cf616c6aeaa5dfcd04dc9f15de8dc64ea5859

SHA512
dff5f7614a6cc883dbe0c10c1cdd84a550f1c7dc0322a98a74fdbd4fcab13aa659c13dd0f4b30e024cae49910b81719a53b85c50c369b7102e9b6831f63c0f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DM6HP.tmp\is-T62HS.tmp

Filesize
415KB

MD5
9f19b46f57629a1878e1cb3ef07b08e0

SHA1
271e48375eb8cc820c94a015135a45eb4c5787af

SHA256
dede97c49f1134abecb50db2b884113e010fa4e5fd043492c4327ed5c86c90e6

SHA512
377c3630a876b0011917a770ed34bcbd6ccb2ee5b9d224fc2f8acd32ca80cad787714bebbe98a562f78cf63e9e6f591166f36d24249fc8097fa6d8c4eb8bad3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DM6HP.tmp\is-T62HS.tmp

Filesize
303KB

MD5
8b19d7af7ab020676ef0703ca9dc8c76

SHA1
c691c742a9af9f7bfcaec62fc69b5a8568c0cf9b

SHA256
76357cc39e5b965b82011bf601b4b2b0a987131c5c2c1880c50c796a10fd26a6

SHA512
6f4ead8054bdb1a0f2e8fc560a814cc88276142c5452cd13efbdb98d2171e3e2ba66c08d82fa31a25620baded91e98b2e18e6a97ee7f8a7f439ceed88551b7ee

Download Submit
\Users\Admin\AppData\Local\Temp\a12840.exe

Filesize
480KB

MD5
33569b8086cc98345f9c6d2f75e38f02

SHA1
8ce5565b2a7f8b7dcb07c383b7bcf8b249cd319c

SHA256
8fa4667b0d137445266fa56ee802b2b25ce0ca1617dcce6e56b69bc8dcb3b7ea

SHA512
274fae2f358d8a6090f68d2986fb003802be5a7f5401c459f01ba81d16a2fcd4086a08e9d92c0ba9b1f26ff7854d062d330f834d9c3b3a4acdbc1638091c7c23

Download Submit
\Users\Admin\AppData\Local\Temp\a44880.exe

Filesize
52KB

MD5
533009d9af171d110f6ac9296650bec0

SHA1
746b373ef63e2d7915e5d2e9cb6abd7d526b9cc2

SHA256
a524a90be01092f94673160ec1e02283752011d6972b69aacc42bc619c1bec5b

SHA512
3b1940f0af905865ca6d90466534b121b39afa84b9eed09cb130874f30270cd84232a0d3ba6cdace8a3cce9f5102b5f60a0a1a65c80e3c48a25b4948466713bb

Download Submit
\Users\Admin\AppData\Local\Temp\is-9JB0Q.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-DM6HP.tmp\is-T62HS.tmp

Filesize
234KB

MD5
f1de3715805d5bdd87ccb0b9358f57db

SHA1
703104c30a08c53a6b599d07cfddd97853731409

SHA256
62c92e911024ada64c90ff3d2f8ad29b47fb0b210b806969aaa0507c584e7eaa

SHA512
87afb0b878cc67a9403b1f0f0727b6a43d4393d5e8410739bcef874dc7a8d1bc1b4c0b5002a49c7a5dd195a83d0a5642500e6fa20e50bfd386846252af0b66fb

Download Submit
memory/2100-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2100-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2100-66-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2500-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2500-34-0x0000000002680000-0x0000000002692000-memory.dmp

Filesize
72KB

Download
memory/2500-47-0x0000000002680000-0x0000000002691000-memory.dmp

Filesize
68KB

Download
memory/2500-23-0x0000000002680000-0x0000000002692000-memory.dmp

Filesize
72KB

Download
memory/2500-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2664-12-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2664-63-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2664-8-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2788-44-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2940-60-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2940-64-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download