f3977f57399bee2d81dee827bad73198da90ce7cfcd5998638a4d35efc269a38

Analysis

max time kernel
5s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ae6b804adb887c93e42c7f43e202acb.exe
Size

6.0MB
MD5

0ae6b804adb887c93e42c7f43e202acb
SHA1

660ca21a94179bcb71bebb9f771fd7b786368012
SHA256

f3977f57399bee2d81dee827bad73198da90ce7cfcd5998638a4d35efc269a38
SHA512

4fe473ee7db83b92f9256ee808d11236f53514608ec8c7528ac63e16eb033e4a429af4cd46a830bdd2331071ce72d12d0fa6fb00c6cb35d1c7f51b76ac7ae1f5
SSDEEP

98304:UUcfkk2cakl1rCZ+6GfUstcakrpoMS5wiExwRcakl1rCZ+6GfUstcakhfu8bTOM7:1cff2dIrC06WddlMgwAdIrC06WddUu8d

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2992	0ae6b804adb887c93e42c7f43e202acb.exe

Executes dropped EXE 1 IoCs

pid	Process
2992	0ae6b804adb887c93e42c7f43e202acb.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2808-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/memory/2992-13-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 18 IoCs

pid	pid_target	Process	procid_target
1400	2992	WerFault.exe	23
1060	2992	WerFault.exe	23
3840	2992	WerFault.exe	23
3912	2992	WerFault.exe	23
2716	2992	WerFault.exe	23
4932	2992	WerFault.exe	23
3380	2992	WerFault.exe	23
3396	2992	WerFault.exe	23
4528	2992	WerFault.exe	23
1900	2992	WerFault.exe	23
4632	2992	WerFault.exe	23
3684	2992	WerFault.exe	23
1656	2992	WerFault.exe	23
640	2992	WerFault.exe	23
4812	2992	WerFault.exe	23
2740	2992	WerFault.exe	23
4820	2992	WerFault.exe	23
1588	2992	WerFault.exe	23

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3952	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2808	0ae6b804adb887c93e42c7f43e202acb.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2808	0ae6b804adb887c93e42c7f43e202acb.exe
2992	0ae6b804adb887c93e42c7f43e202acb.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2992	2808	0ae6b804adb887c93e42c7f43e202acb.exe	23
PID 2808 wrote to memory of 2992	2808	0ae6b804adb887c93e42c7f43e202acb.exe	23
PID 2808 wrote to memory of 2992	2808	0ae6b804adb887c93e42c7f43e202acb.exe	23
PID 2992 wrote to memory of 3952	2992	0ae6b804adb887c93e42c7f43e202acb.exe	25
PID 2992 wrote to memory of 3952	2992	0ae6b804adb887c93e42c7f43e202acb.exe	25
PID 2992 wrote to memory of 3952	2992	0ae6b804adb887c93e42c7f43e202acb.exe	25
PID 2992 wrote to memory of 3744	2992	0ae6b804adb887c93e42c7f43e202acb.exe	32
PID 2992 wrote to memory of 3744	2992	0ae6b804adb887c93e42c7f43e202acb.exe	32
PID 2992 wrote to memory of 3744	2992	0ae6b804adb887c93e42c7f43e202acb.exe	32
PID 3744 wrote to memory of 1552	3744	cmd.exe	31
PID 3744 wrote to memory of 1552	3744	cmd.exe	31
PID 3744 wrote to memory of 1552	3744	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\0ae6b804adb887c93e42c7f43e202acb.exe
"C:\Users\Admin\AppData\Local\Temp\0ae6b804adb887c93e42c7f43e202acb.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Users\Admin\AppData\Local\Temp\0ae6b804adb887c93e42c7f43e202acb.exe
  C:\Users\Admin\AppData\Local\Temp\0ae6b804adb887c93e42c7f43e202acb.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\0ae6b804adb887c93e42c7f43e202acb.exe" /TN 0Su7L8S745c1 /F
    3⤵
    - Creates scheduled task(s)
    PID:3952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 612
    3⤵
    - Program crash
    PID:1400
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN 0Su7L8S745c1 > C:\Users\Admin\AppData\Local\Temp\qpe9a.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 648
    3⤵
    - Program crash
    PID:1060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 736
    3⤵
    - Program crash
    PID:3840
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 652
    3⤵
    - Program crash
    PID:3912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 704
    3⤵
    - Program crash
    PID:2716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 780
    3⤵
    - Program crash
    PID:4932
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1456
    3⤵
    - Program crash
    PID:3380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1916
    3⤵
    - Program crash
    PID:3396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 2144
    3⤵
    - Program crash
    PID:4528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1876
    3⤵
    - Program crash
    PID:1900
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1920
    3⤵
    - Program crash
    PID:4632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 2096
    3⤵
    - Program crash
    PID:3684
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 2100
    3⤵
    - Program crash
    PID:1656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1876
    3⤵
    - Program crash
    PID:640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 2148
    3⤵
    - Program crash
    PID:4812
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 2140
    3⤵
    - Program crash
    PID:2740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 896
    3⤵
    - Program crash
    PID:4820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 732
    3⤵
    - Program crash
    PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2992 -ip 2992
1⤵
PID:4464

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN 0Su7L8S745c1
1⤵
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2992 -ip 2992
1⤵
PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2992 -ip 2992
1⤵
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2992 -ip 2992
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2992 -ip 2992
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2992 -ip 2992
1⤵
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2992 -ip 2992
1⤵
PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2992 -ip 2992
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2992 -ip 2992
1⤵
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2992 -ip 2992
1⤵
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2992 -ip 2992
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2992 -ip 2992
1⤵
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2992 -ip 2992
1⤵
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2992 -ip 2992
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2992 -ip 2992
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2992 -ip 2992
1⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2992 -ip 2992
1⤵
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2992 -ip 2992
1⤵
PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2808-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2808-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2808-3-0x0000000001720000-0x000000000179E000-memory.dmp

Filesize
504KB

Download
memory/2808-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2992-17-0x0000000023FF0000-0x000000002406E000-memory.dmp

Filesize
504KB

Download
memory/2992-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2992-22-0x00000000004B0000-0x000000000051B000-memory.dmp

Filesize
428KB

Download
memory/2992-13-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2992-40-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads