e8c667759ebe040b83e68066eac519b6f301aeab0722447eab2491517fe7aecf

Analysis

max time kernel
47s
max time network
36s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2376ac65212df30b861dbd6fd6b2f3ea.exe
Size

8KB
MD5

2376ac65212df30b861dbd6fd6b2f3ea
SHA1

e9e2801103127b53a047bd968b01bc03e71c22ec
SHA256

e8c667759ebe040b83e68066eac519b6f301aeab0722447eab2491517fe7aecf
SHA512

28c205825f3cae2ff659b8df9b555dec009a7db66512c24b8a4f0a982944a965952e5e72ac297ecfbdddc74d8f7fc17023ac21e2708a35e9d468525410a2560b
SSDEEP

192:2bTk03SNjWLghqbqnZlc1sBBO1FaNJhLkwcud2DH9VwGfct8uE:2EZjWLorZcpjaNJawcudoD7UWr

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2608	b2e.exe

Loads dropped DLL 5 IoCs

pid	Process
2620	2376ac65212df30b861dbd6fd6b2f3ea.exe
2620	2376ac65212df30b861dbd6fd6b2f3ea.exe
3060	WerFault.exe
3060	WerFault.exe
3060	WerFault.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2620-0-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2620-2-0x0000000000400000-0x0000000000409000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
3060	2608	WerFault.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 2608	2620	2376ac65212df30b861dbd6fd6b2f3ea.exe	30
PID 2620 wrote to memory of 2608	2620	2376ac65212df30b861dbd6fd6b2f3ea.exe	30
PID 2620 wrote to memory of 2608	2620	2376ac65212df30b861dbd6fd6b2f3ea.exe	30
PID 2620 wrote to memory of 2608	2620	2376ac65212df30b861dbd6fd6b2f3ea.exe	30
PID 2608 wrote to memory of 3060	2608	b2e.exe	29
PID 2608 wrote to memory of 3060	2608	b2e.exe	29
PID 2608 wrote to memory of 3060	2608	b2e.exe	29
PID 2608 wrote to memory of 3060	2608	b2e.exe	29

C:\Users\Admin\AppData\Local\Temp\2376ac65212df30b861dbd6fd6b2f3ea.exe
"C:\Users\Admin\AppData\Local\Temp\2376ac65212df30b861dbd6fd6b2f3ea.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Users\Admin\AppData\Local\Temp\4F48.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\4F48.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\4F48.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\2376ac65212df30b861dbd6fd6b2f3ea.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 124
1⤵
- Loads dropped DLL
- Program crash
PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4F48.tmp\b2e.exe

Filesize
9KB

MD5
f90dba07c27f979c8762a459a0678c4f

SHA1
90199efc05dfe1853ede74744226ca3c4cec0433

SHA256
5a829b002af972c22b875c85e01cac7f64a82867f7bfd47e0990b3a6d455ba92

SHA512
64f30c0df5b54072656e80ea753d2dce06f926987d18d4e1ceefdf31fe84155e93f5019b4e22b3f205e09edb945ddef79669a6e2ff9355e7d665421db3462811

Download Submit
memory/2608-13-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2620-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2620-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2620-6-0x00000000020B0000-0x00000000020B5000-memory.dmp

Filesize
20KB

Download