Analysis
-
max time kernel
137s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 11:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
16c4331a5e2deca7bfec0e4300e4b972.exe
Resource
win7-20231129-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
16c4331a5e2deca7bfec0e4300e4b972.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
16c4331a5e2deca7bfec0e4300e4b972.exe
-
Size
186KB
-
MD5
16c4331a5e2deca7bfec0e4300e4b972
-
SHA1
e43a39bc56f8945a7b2dd4cd8afcc99518001793
-
SHA256
a4615ff15437bcab8a0458288758b62d407cb00684fe15f3e38f143227e9286d
-
SHA512
0074f9788846b8abbdc2098be918b35b699f91ecc7f51a9c438616abdd42d9b1d58161a232406da2643cac3bc9d1b060f7103e18556cc14c0880bd81173ec32a
-
SSDEEP
3072:BnEOwnO5+Tyir8M/ORoz3LAKljikMTmAcThAkZThMTMz6s:Hwq+TyiFixTmAcThAkZThMTMj
Score
6/10
Malware Config
Signatures
-
Drops desktop.ini file(s) 5 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 16c4331a5e2deca7bfec0e4300e4b972.exe File created \??\c:\$Recycle.Bin\S-1-5-21-1497073144-2389943819-3385106915-1000\desktop.ini 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\$Recycle.Bin\S-1-5-21-1497073144-2389943819-3385106915-1000\desktop.ini 16c4331a5e2deca7bfec0e4300e4b972.exe File created \??\c:\Program Files\desktop.ini 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\desktop.ini 16c4331a5e2deca7bfec0e4300e4b972.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Java\jre-1.8\lib\security\trusted.libraries 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-phn.xrm-ms 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Internet Explorer\en-US\hmmapi.dll.mui 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ppd.xrm-ms 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-crt-string-l1-1-0.dll 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Threading.Tasks.Dataflow.dll 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\System.Windows.Controls.Ribbon.resources.dll 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\lib\management-agent.jar 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Java\jre-1.8\lib\sound.properties 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ppd.xrm-ms 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ppd.xrm-ms 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\7-Zip\Lang\pa-in.txt 16c4331a5e2deca7bfec0e4300e4b972.exe File created \??\c:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipRes.dll.mui 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Common Files\System\Ole DB\msdasqlr.dll 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Java\jre-1.8\lib\jfxswt.jar 16c4331a5e2deca7bfec0e4300e4b972.exe File created \??\c:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-console-l1-1-0.dll 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\UIAutomationClient.resources.dll 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\UIAutomationClientSideProviders.resources.dll 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ro.pak 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140.dll 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ppd.xrm-ms 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-phn.xrm-ms 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Collections.Immutable.dll 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.Sockets.dll 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\bin\JAWTAccessBridge-64.dll 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB 16c4331a5e2deca7bfec0e4300e4b972.exe File created \??\c:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pt-BR\PresentationCore.resources.dll 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-phn.xrm-ms 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\PresentationUI.resources.dll 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ru\System.Windows.Controls.Ribbon.resources.dll 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ppd.xrm-ms 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\nacl_irt_x86_64.nexe 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_ko.properties 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Integration\C2RIntLoc.en-us.16.msi 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Private.Xml.Linq.dll 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\UIAutomationClientSideProviders.resources.dll 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Candara.xml 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\javadoc.exe 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ppd.xrm-ms 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-oob.xrm-ms 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ppd.xrm-ms 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\resources.pak 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Security.Cryptography.Csp.dll 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\PresentationFramework-SystemXmlLinq.dll 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-namedpipe-l1-1-0.dll 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\System.Windows.Forms.Primitives.resources.dll 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\splashscreen.dll 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ppd.xrm-ms 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\PresentationNative_cor3.dll 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\legal\jdk\unicode.md 16c4331a5e2deca7bfec0e4300e4b972.exe File created \??\c:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat 16c4331a5e2deca7bfec0e4300e4b972.exe File created \??\c:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui 16c4331a5e2deca7bfec0e4300e4b972.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pt-BR\ReachFramework.resources.dll 16c4331a5e2deca7bfec0e4300e4b972.exe File created \??\c:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui 16c4331a5e2deca7bfec0e4300e4b972.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 440 2292 WerFault.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\16c4331a5e2deca7bfec0e4300e4b972.exe"C:\Users\Admin\AppData\Local\Temp\16c4331a5e2deca7bfec0e4300e4b972.exe"1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:2292 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 9962⤵
- Program crash
PID:440
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2292 -ip 22921⤵PID:4848
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
299KB
MD5fd8aab7f811600c91be569613c1f9550
SHA19d44f992cf3a50c4aae647aa57d842a585a6bb0b
SHA25623e6c95e2df717dd175eab8dc88216f89f1627e0bb18213f5adbb8ad16ea8ce2
SHA5122afef2eb833463783724a2e7c776223e5e429cc8903fcf9f5f34e070156da6afbd3c85a9bd5bb3415352b10fdacf763a188b69acfeedf1f6cd5dd3be52dcea45
-
Filesize
5B
MD5b5b682b742431a52ea8b17c72ad9c572
SHA1326320f469235708c59f678c9a7357dca552d306
SHA25630d9045a9f172208b13161d1f5204e5787e5e07bfbb4f490d0041b03b7f44f76
SHA5124e1bd7cc616b3115baf6be7ebd29fe2d1123bc0f25464865a0cf9207b0344fba70747a5ce6f00e8d9c696881f6db1e12f81736bc748b6f2b60bf84c681a49163