7312d3ac818d44fa2f90cb4f610c23d89bedb2c76dd19bc3ecfde30a15036dc7

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c4254f7796ec1f9f03f21c873766613.exe
Size

284KB
MD5

1c4254f7796ec1f9f03f21c873766613
SHA1

e3cdb4ab6888156f35b66ec4b2120e5dd1f9b96a
SHA256

7312d3ac818d44fa2f90cb4f610c23d89bedb2c76dd19bc3ecfde30a15036dc7
SHA512

8dc43a7021ccb7478745e599670941e9930f1e51ac84915c61a58d3d929f8b7539fbcbf0ce3fb59202d9e46286d74655b212752f9de165975fa56f0663e79484
SSDEEP

6144:tyrf5tfsZxQ0BI/04stNE25KeD1i4Ofy59BDcspPU8CP0G9:qRN0BxYQ/QWO8CP0C

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2784	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1964	R_Server.exe

Loads dropped DLL 5 IoCs

pid	Process
1684	1c4254f7796ec1f9f03f21c873766613.exe
1684	1c4254f7796ec1f9f03f21c873766613.exe
2160	WerFault.exe
2160	WerFault.exe
2160	WerFault.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1684-0-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/1964-12-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/1684-11-0x0000000003390000-0x0000000003454000-memory.dmp	upx
behavioral1/files/0x000a000000012251-4.dat	upx
behavioral1/memory/1684-18-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/1964-19-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/1684-31-0x0000000000400000-0x00000000004C4000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Deleteme.bat	1c4254f7796ec1f9f03f21c873766613.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe	1c4254f7796ec1f9f03f21c873766613.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe	1c4254f7796ec1f9f03f21c873766613.exe

Program crash 1 IoCs

pid	pid_target	Process
2160	1964	WerFault.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 1964	1684	1c4254f7796ec1f9f03f21c873766613.exe	15
PID 1684 wrote to memory of 1964	1684	1c4254f7796ec1f9f03f21c873766613.exe	15
PID 1684 wrote to memory of 1964	1684	1c4254f7796ec1f9f03f21c873766613.exe	15
PID 1684 wrote to memory of 1964	1684	1c4254f7796ec1f9f03f21c873766613.exe	15
PID 1964 wrote to memory of 2160	1964	R_Server.exe	14
PID 1964 wrote to memory of 2160	1964	R_Server.exe	14
PID 1964 wrote to memory of 2160	1964	R_Server.exe	14
PID 1964 wrote to memory of 2160	1964	R_Server.exe	14
PID 1684 wrote to memory of 2784	1684	1c4254f7796ec1f9f03f21c873766613.exe	30
PID 1684 wrote to memory of 2784	1684	1c4254f7796ec1f9f03f21c873766613.exe	30
PID 1684 wrote to memory of 2784	1684	1c4254f7796ec1f9f03f21c873766613.exe	30
PID 1684 wrote to memory of 2784	1684	1c4254f7796ec1f9f03f21c873766613.exe	30

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 268
1⤵
- Loads dropped DLL
- Program crash
PID:2160

C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Admin\AppData\Local\Temp\1c4254f7796ec1f9f03f21c873766613.exe
"C:\Users\Admin\AppData\Local\Temp\1c4254f7796ec1f9f03f21c873766613.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deleteme.bat
  2⤵
  - Deletes itself
  PID:2784

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Deleteme.bat

Filesize
184B

MD5
b29685a1b59687eccf7d2ca097d086ca

SHA1
a16d7ee5e9754b769ffc385ac15579ce125e08bf

SHA256
65ddafdfdaa614023c0a80051301620bc46901fdaf8d13d663a17d7a8432a243

SHA512
8929fbfdd125f49be65beb545df6f6fe364bc917d5dcb2ab7a15bd83bc756c0ae5f6205e494eb56047d07b1ac9d04df2d8e669a3f178d62ea952719fdd72c1b3

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe

Filesize
1KB

MD5
2ae3aba8d7a6f8b55cf5ffb7c5bacec3

SHA1
d90b668cc9096ddbbb18cc0b48ae9a207f366709

SHA256
e1764c6a71727c43746606980a7f9e1e263a6dbec18790532a43a2329102dbde

SHA512
2bce961fb2aec0fbcd883f0cefa996bc1c1748bcad62de9ee60e6591134726fbb2769f515ab560b1d88c1f9fd1263fcff89125e6f52f47f4c0e2e518f2a7e8a0

Download Submit
memory/1684-0-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1684-13-0x0000000003390000-0x0000000003454000-memory.dmp

Filesize
784KB

Download
memory/1684-11-0x0000000003390000-0x0000000003454000-memory.dmp

Filesize
784KB

Download
memory/1684-3-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1684-18-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1684-31-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1964-12-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1964-14-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1964-19-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download