fe0789979551b216bcab3c67ae48392f0a4eefc0b6f0714eb86a7143cf395134

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0da29bfbd08da68ac09090ea8ca4a696.exe
Size

400KB
MD5

0da29bfbd08da68ac09090ea8ca4a696
SHA1

46eddfc24b6c84a2faf24419f887694822d0663d
SHA256

fe0789979551b216bcab3c67ae48392f0a4eefc0b6f0714eb86a7143cf395134
SHA512

07b055977b19dac5e3be492873b74112bbc747e1575106d14e3d65cfb4020faae8a48710b250f03e4b9320d9bcd9953dd49f8bb9f15b98eca521c0973aeb8428
SSDEEP

12288:KXGG4Qsmz6vsgtnkgFYjXAmSW2CaXkgLNH:KWjvJhkgmb30XdH

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3552	mI42900LjDfP42900.exe

Executes dropped EXE 1 IoCs

pid	Process
3552	mI42900LjDfP42900.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4608-6-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/memory/4608-12-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/memory/3552-19-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/memory/3552-22-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/memory/3552-29-0x0000000000400000-0x00000000004C0000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mI42900LjDfP42900 = "C:\\ProgramData\\mI42900LjDfP42900\\mI42900LjDfP42900.exe"	mI42900LjDfP42900.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2148	4608	WerFault.exe	88
1564	3552	WerFault.exe	96

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4608	0da29bfbd08da68ac09090ea8ca4a696.exe
4608	0da29bfbd08da68ac09090ea8ca4a696.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4608	0da29bfbd08da68ac09090ea8ca4a696.exe
Token: SeDebugPrivilege	3552	mI42900LjDfP42900.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3552	mI42900LjDfP42900.exe
3552	mI42900LjDfP42900.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 3552	4608	0da29bfbd08da68ac09090ea8ca4a696.exe	96
PID 4608 wrote to memory of 3552	4608	0da29bfbd08da68ac09090ea8ca4a696.exe	96
PID 4608 wrote to memory of 3552	4608	0da29bfbd08da68ac09090ea8ca4a696.exe	96

C:\Users\Admin\AppData\Local\Temp\0da29bfbd08da68ac09090ea8ca4a696.exe
"C:\Users\Admin\AppData\Local\Temp\0da29bfbd08da68ac09090ea8ca4a696.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 672
  2⤵
  - Program crash
  PID:2148
- C:\ProgramData\mI42900LjDfP42900\mI42900LjDfP42900.exe
  "C:\ProgramData\mI42900LjDfP42900\mI42900LjDfP42900.exe" "C:\Users\Admin\AppData\Local\Temp\0da29bfbd08da68ac09090ea8ca4a696.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 668
    3⤵
    - Program crash
    PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4608 -ip 4608
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3552 -ip 3552
1⤵
PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mI42900LjDfP42900\mI42900LjDfP42900.exe

Filesize
400KB

MD5
38ba13aa8055077616f5665aa21febef

SHA1
7d47a094cd257c35b3518a6617b2f1f70e4d7a81

SHA256
f939c13afd59e9157ffd005aee85462b8468ed357e709fe39f50eccd750d1bfb

SHA512
a534865e78274d4440f50c731d067e148dbebb9cfc29481bf38fa1152fb71823d8495a88809e467d74367bd6ad0bccf289a134f76d81492c3ca8dff20f1dd140

Download Submit
memory/3552-19-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3552-22-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3552-29-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4608-0-0x0000000000640000-0x0000000000643000-memory.dmp

Filesize
12KB

Download
memory/4608-6-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4608-12-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download