Overview

overview

7

Static

static

3

279b20a48c...2f.exe

windows7-x64

7

279b20a48c...2f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    30s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 04:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    279b20a48c3929cf2ca7cb671539202f.exe

  • Size

    132KB

  • MD5

    279b20a48c3929cf2ca7cb671539202f

  • SHA1

    86a5789ca140d0fcb491e8d4f26ff3d84dc0f352

  • SHA256

    44cc7182fb15bf0a9033df520f5031037c18ca4a69ebea1657f0df346aa189a6

  • SHA512

    57d112ad0d8abdf0889b84b1637013979a9027eb5e52bfe3fa8054d7a15fe642023fe29b1e587332a565d54c6825a051f2863a1ab21abf85c59fdd3c58b10ea2

  • SSDEEP

    1536:wcNs9OIbKQ7usjxpM4Is5ctj4AN/r4TJHpL016gIZkuGtiJPpK+WN/F+/YAPd2xU:5A3bL1I6ctj4Ys216ysLKnNdc22P

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\279b20a48c3929cf2ca7cb671539202f.exe
    "C:\Users\Admin\AppData\Local\Temp\279b20a48c3929cf2ca7cb671539202f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4468
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 216
      2⤵
      • Program crash
      PID:4608
    • C:\Users\Admin\AppData\Local\Temp\279b20a48c3929cf2ca7cb671539202f.exe
      C:\Users\Admin\AppData\Local\Temp\279b20a48c3929cf2ca7cb671539202f.exe
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1688
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 100 -ip 100
    1⤵
      PID:2888
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 292
      1⤵
      • Program crash
      PID:3856
    • C:\Users\Admin\AppData\Roaming\taskhost.exe
      C:\Users\Admin\AppData\Roaming\taskhost.exe
      1⤵
      • Executes dropped EXE
      PID:4404
    • C:\Users\Admin\AppData\Roaming\taskhost.exe
      C:\Users\Admin\AppData\Roaming\taskhost.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:100
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4468 -ip 4468
      1⤵
        PID:2252

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\taskhost.exe
        Filesize

        98KB

        MD5

        19d21b92c655b51630fbdf14ffeeb100

        SHA1

        1748ca6c4376d85dd682b8ad7016fa2cc889d36e

        SHA256

        c7d4eed151d08095540f5c160d65984019656efddcd2c1b40842a046dcf82d13

        SHA512

        c87b6be30c39c084764edaa02f71dbcdb54921489bf9bd0306ef3cfb117406840508cf8c93e4537a8f3aa14dcde53c996c1707ec93cef36fd880a464c8cdb8bd

        Download Submit

      • C:\Users\Admin\AppData\Roaming\taskhost.exe
        Filesize

        92KB

        MD5

        4cea983f0cdf0c819ea0c1a1518c1e23

        SHA1

        294a9631fcac5eabdc61a9b1670981d02696ec9e

        SHA256

        1f17e4b6db585a0d5fff8f5b1c4851321cf83ce840da5093dc7663afbe41616d

        SHA512

        3fda78776f5472e20c6e955d7efe6e5cacb2328b877c6cf2127a74de3014be9391bee6a9c63e026dea4fd257eb1399a81a9cc1d1fbc556a94f75424c815460a5

        Download Submit

      • C:\Users\Admin\AppData\Roaming\taskhost.exe
        Filesize

        132KB

        MD5

        da42f7e6c2546bfeb3ad4fb32e5248f9

        SHA1

        ab4362e27326904fde72d6d58f981505a6eb9753

        SHA256

        9ef0a077174ab24d453546d38d68108f576bc053bfdc75c0cada7147e1aadee7

        SHA512

        a384389dd2bd22c402d6556eca539d0c939e7e84a8a69ee417a60f598a370c93554f69305b976bffdee8057fd7c4f619be69430837205ce942bf752866ee035f

        Download Submit

      • memory/1688-5-0x0000000000400000-0x000000000042A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/1688-2-0x0000000000400000-0x000000000042A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/1688-1-0x0000000000400000-0x000000000042A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/1688-0-0x0000000000400000-0x000000000042A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/4404-11-0x0000000000400000-0x000000000042A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/4404-10-0x0000000000400000-0x000000000042A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/4404-14-0x0000000000400000-0x000000000042A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/4404-23-0x0000000000400000-0x000000000042A000-memory.dmp

        Filesize

        168KB

        Download