ed7852736268380cfb3dd61372a1929d3b9a9cc1c3f92f6bfebfaec3750afc8d

Analysis

max time kernel
119s
max time network
133s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 09:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

13fe91c23ad0202039e0d27b83a5eaeb.exe
Size

237KB
MD5

13fe91c23ad0202039e0d27b83a5eaeb
SHA1

af889a8c6a777a732f608f02300765f38e43d7a6
SHA256

ed7852736268380cfb3dd61372a1929d3b9a9cc1c3f92f6bfebfaec3750afc8d
SHA512

8259d861fddbf28c7544d26f68addebd482f3bdeed411908fb66d36d7e295adddef4d15fc2914db92f5ab962c0be936c5e4dcdd2daf923ed5e3cd126b0cb03cf
SSDEEP

6144:RHSO0r0DfjK2SBwkzKwaZqRfRViajnGsuA:sA7BiwkzjaMPnv

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2288	load.exe

Loads dropped DLL 6 IoCs

pid	Process
2636	13fe91c23ad0202039e0d27b83a5eaeb.exe
2636	13fe91c23ad0202039e0d27b83a5eaeb.exe
2696	WerFault.exe
2696	WerFault.exe
2696	WerFault.exe
2696	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\user16 = "C:\\Windows\\system32\\cmd16.exe"	13fe91c23ad0202039e0d27b83a5eaeb.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\cmd16.exe	13fe91c23ad0202039e0d27b83a5eaeb.exe
File created	C:\Windows\SysWOW64\cmd16.exe	13fe91c23ad0202039e0d27b83a5eaeb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2696	2288	WerFault.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2288	2636	13fe91c23ad0202039e0d27b83a5eaeb.exe	18
PID 2636 wrote to memory of 2288	2636	13fe91c23ad0202039e0d27b83a5eaeb.exe	18
PID 2636 wrote to memory of 2288	2636	13fe91c23ad0202039e0d27b83a5eaeb.exe	18
PID 2636 wrote to memory of 2288	2636	13fe91c23ad0202039e0d27b83a5eaeb.exe	18
PID 2288 wrote to memory of 2696	2288	load.exe	17
PID 2288 wrote to memory of 2696	2288	load.exe	17
PID 2288 wrote to memory of 2696	2288	load.exe	17
PID 2288 wrote to memory of 2696	2288	load.exe	17

C:\Users\Admin\AppData\Local\Temp\13fe91c23ad0202039e0d27b83a5eaeb.exe
"C:\Users\Admin\AppData\Local\Temp\13fe91c23ad0202039e0d27b83a5eaeb.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Users\Admin\AppData\Local\Temp\load.exe
  "C:\Users\Admin\AppData\Local\Temp\load.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 92
1⤵
- Loads dropped DLL
- Program crash
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\load.exe

Filesize
4KB

MD5
10594cc5597a5a1a2e945f3f511e263d

SHA1
3c2aca4b3d58804d1e0cafa9bb18f6735639f1bb

SHA256
ae79b10f8e02b58703d9f58108ae49c243e4b11f7ab5c867bebfa8850eead0f5

SHA512
c84cccad1cb94e710c084bc1b394baeffb48f56251741c869b99ae0cea8284eab2155a979bd393553130d5b6b94f50860c38a50d08dc5c772413a5b92c26406e

Download Submit
\Users\Admin\AppData\Local\Temp\load.exe

Filesize
27KB

MD5
cfbc117d6429028d1e592da418b5a80d

SHA1
fca186b6596ebfbaa0334b52f08cbde2c58be01d

SHA256
d0b1c2bf0b0f0a0d681e19968299bfdf0da36b08c82d4e34f57f0807db6aa9f9

SHA512
93cc33bf7cc1bf5b3dbd10f2f3f7798add5060341c46a5c7bd4a5207341c64cd9b6c527bd3a59838afa5b3372317f9b56c5da3bc5ed784d7765569a53cf85daa

Download Submit
\Users\Admin\AppData\Local\Temp\load.exe

Filesize
12KB

MD5
d5a0e46803e9598db970ae07b278543c

SHA1
c8a23603fd0c23e3215b0ebdd03bc44e11c64aaf

SHA256
9def61b8697b0a83e013e5acde95ac19b1fc6ef3c1ff7d12e248877531e30c6a

SHA512
3a95291ee05580cdf93b8e42f799f228dcc16eb6a69de9646922a36f03293e8e3eb474f8b9935d101ff05c3ea76f12c6a9d4aee1b7140c67317149770804f288

Download Submit
memory/2636-11-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads