ca0cf220d6ad198b5a5d2469666923d5d472f62abbd0eb7572f0bce734bb2ac2

Analysis

max time kernel
191s
max time network
200s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

097e35acf6d7026d8794bb43e8df0e9b.exe
Size

396KB
MD5

097e35acf6d7026d8794bb43e8df0e9b
SHA1

29cbf7fd6176330952e3be1eb712428458d083c9
SHA256

ca0cf220d6ad198b5a5d2469666923d5d472f62abbd0eb7572f0bce734bb2ac2
SHA512

0539ead1f1b9c05262e50c7e8e45fc9c30feef3c628de37af30a8d1698ac72fadd0bb366e9d13acc32b7bb6ae4aeb44e7bdb4381b545447a91f0da69be59d680
SSDEEP

6144:+sUcjPG3DLLSYgIOH4gTS44udC3d9cVx54vEa3t4ywDikLA6V0zAWi+R:8cju3fuYgnYgOluI3vcVxSv79rmozxN

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2844	oL06511EnPlP06511.exe

Executes dropped EXE 1 IoCs

pid	Process
2844	oL06511EnPlP06511.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4340-1-0x0000000000400000-0x00000000004F0000-memory.dmp	upx
behavioral2/memory/4340-7-0x0000000000400000-0x00000000004F0000-memory.dmp	upx
behavioral2/memory/4340-14-0x0000000000400000-0x00000000004F0000-memory.dmp	upx
behavioral2/memory/2844-20-0x0000000000400000-0x00000000004F0000-memory.dmp	upx
behavioral2/memory/2844-23-0x0000000000400000-0x00000000004F0000-memory.dmp	upx
behavioral2/memory/2844-30-0x0000000000400000-0x00000000004F0000-memory.dmp	upx
behavioral2/memory/2844-32-0x0000000000400000-0x00000000004F0000-memory.dmp	upx
behavioral2/memory/2844-35-0x0000000000400000-0x00000000004F0000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oL06511EnPlP06511 = "C:\\ProgramData\\oL06511EnPlP06511\\oL06511EnPlP06511.exe"	oL06511EnPlP06511.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2500	4340	WerFault.exe	57
3884	2844	WerFault.exe	95

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4340	097e35acf6d7026d8794bb43e8df0e9b.exe
4340	097e35acf6d7026d8794bb43e8df0e9b.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4340	097e35acf6d7026d8794bb43e8df0e9b.exe
Token: SeDebugPrivilege	2844	oL06511EnPlP06511.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2844	oL06511EnPlP06511.exe
2844	oL06511EnPlP06511.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 2844	4340	097e35acf6d7026d8794bb43e8df0e9b.exe	95
PID 4340 wrote to memory of 2844	4340	097e35acf6d7026d8794bb43e8df0e9b.exe	95
PID 4340 wrote to memory of 2844	4340	097e35acf6d7026d8794bb43e8df0e9b.exe	95

C:\Users\Admin\AppData\Local\Temp\097e35acf6d7026d8794bb43e8df0e9b.exe
"C:\Users\Admin\AppData\Local\Temp\097e35acf6d7026d8794bb43e8df0e9b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 668
  2⤵
  - Program crash
  PID:2500
- C:\ProgramData\oL06511EnPlP06511\oL06511EnPlP06511.exe
  "C:\ProgramData\oL06511EnPlP06511\oL06511EnPlP06511.exe" "C:\Users\Admin\AppData\Local\Temp\097e35acf6d7026d8794bb43e8df0e9b.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 668
    3⤵
    - Program crash
    PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4340 -ip 4340
1⤵
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2844 -ip 2844
1⤵
PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\oL06511EnPlP06511\oL06511EnPlP06511.exe

Filesize
396KB

MD5
b29e103851768df90a1b48c39f34644f

SHA1
14a91fef4f72df23450cd98130f747a501dba452

SHA256
5c6a8d4fc1ff568153707269f793780a638d00241f23ebacfc0e7a44210539ee

SHA512
54ea68dc84d525ab4b3827679c2f629ec41f9198cfd8414911113d3e5dba0c5b77fda37947c65660cedde912ab1e4479cb2161a2238624e0e50228913ef4191a

Download Submit
C:\ProgramData\oL06511EnPlP06511\oL06511EnPlP06511.exe

Filesize
64KB

MD5
b03c9b8aca08e711455bfef79d5fee98

SHA1
a40227a4d95b7ada832242b2a4b05b59b171598a

SHA256
4d2b41d3760fd2713e8a35f85cb0e23cb2e11e07ed887bac4e34546b9a6fb6c2

SHA512
dc2f0a0389a404a50b1aa55956a619c210c12e8ffa4267c322fd1a2fc19e7f47d2c26b3a7641bc78a567dd3f6727cbd024c9bbe1d1abf7fd69b708508906b351

Download Submit
memory/2844-20-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2844-23-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2844-30-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2844-32-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2844-35-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4340-0-0x0000000002360000-0x0000000002362000-memory.dmp

Filesize
8KB

Download
memory/4340-1-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4340-7-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4340-14-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download