3f490362db7a369ba1ce7693425e5a0c841c549797022658d7bb94a082011c33

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24ab578c2502650cd3cd0b129f53056b.exe
Size

505KB
MD5

24ab578c2502650cd3cd0b129f53056b
SHA1

c0af7027f89751406a9bb21d14e4b7823b41f8c5
SHA256

3f490362db7a369ba1ce7693425e5a0c841c549797022658d7bb94a082011c33
SHA512

2298493510474c35896e5615d65770a259bfd0fad86fbe117699fb471e8657f2428d7d5562652051c1ec8e6521c150890354b7a8a80ef1e71c1e286b4e8e8c5c
SSDEEP

12288:/zy6rRxEHdjDblNMi7Vhdyr1gqfZRqK6JVd/Ml4i/2ZBRdOFcbG/o:e6rTkRblLwqqfZRVUVd/NrBRs2bd

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2700	ysf.exe

Loads dropped DLL 5 IoCs

pid	Process
2652	24ab578c2502650cd3cd0b129f53056b.exe
2652	24ab578c2502650cd3cd0b129f53056b.exe
3004	WerFault.exe
3004	WerFault.exe
3004	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3004	2700	WerFault.exe	28

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2700	2652	24ab578c2502650cd3cd0b129f53056b.exe	28
PID 2652 wrote to memory of 2700	2652	24ab578c2502650cd3cd0b129f53056b.exe	28
PID 2652 wrote to memory of 2700	2652	24ab578c2502650cd3cd0b129f53056b.exe	28
PID 2652 wrote to memory of 2700	2652	24ab578c2502650cd3cd0b129f53056b.exe	28
PID 2700 wrote to memory of 3004	2700	ysf.exe	29
PID 2700 wrote to memory of 3004	2700	ysf.exe	29
PID 2700 wrote to memory of 3004	2700	ysf.exe	29
PID 2700 wrote to memory of 3004	2700	ysf.exe	29

C:\Users\Admin\AppData\Local\Temp\24ab578c2502650cd3cd0b129f53056b.exe
"C:\Users\Admin\AppData\Local\Temp\24ab578c2502650cd3cd0b129f53056b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\AppData\Local\Temp\ysf.exe
  "C:\Users\Admin\AppData\Local\Temp\ysf.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 36
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\ysf.exe

Filesize
24KB

MD5
401cd4e5dac275f5a1a8065a01607699

SHA1
1e4e90ad38d2b85d417311bc5d1e0d36dc6875f7

SHA256
b342c9569a99a9de842a608dc4ffd6c0fe85c24f0dca3dcb0c79b4d3aff34643

SHA512
46cc4c7ee4c7f3026a1fceb70d6f7bdc1a4d1a1f76dde5bdbe915b03b9d57df9906a542ffe4afad38b420b5d5e72da03b93a1af946e51b4b88252f3edea78920

Download Submit
memory/2652-19-0x0000000002F50000-0x0000000002F61000-memory.dmp

Filesize
68KB

Download
memory/2652-20-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2652-22-0x0000000002F50000-0x0000000002F61000-memory.dmp

Filesize
68KB

Download
memory/2652-27-0x0000000002F50000-0x0000000002F61000-memory.dmp

Filesize
68KB

Download
memory/2700-23-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download