Analysis
-
max time kernel
15s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
31-12-2023 11:44
Static task
static1
Behavioral task
behavioral1
Sample
34e05cdf204438280276b36357564611.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
34e05cdf204438280276b36357564611.exe
Resource
win10v2004-20231222-en
General
-
Target
34e05cdf204438280276b36357564611.exe
-
Size
483KB
-
MD5
34e05cdf204438280276b36357564611
-
SHA1
bce895c994f8bc0e7c360e8ec3d83941fc4299b4
-
SHA256
a6d0d930dc320f14d484b1ef1174b559471d89b907801d044415b9bcfbae03a0
-
SHA512
7e9b69344e5b8a7e48ea6827336cc65b66b86c3fde4518c147b10709d320cff0774e32bb3e023939774f317d5da13ca0ec056a080a2e052d57225b8cd1c8a25f
-
SSDEEP
6144:rIFhuSYWFYgrKsUc3y2WnO1xzcWmZXe2rkwnbo60T21BOcCSrYDEgfje5ig1ef9/:mh8Mz+sv3y2N1xzAZprkmuN/SD5iKeft
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2500 2988 WerFault.exe syscheck.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
34e05cdf204438280276b36357564611.exedescription pid process Token: SeDebugPrivilege 2828 34e05cdf204438280276b36357564611.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\34e05cdf204438280276b36357564611.exe"C:\Users\Admin\AppData\Local\Temp\34e05cdf204438280276b36357564611.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2828 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\34e05cdf204438280276b36357564611.exe" "C:\Users\Admin\AppData\Local\syscheck.exe"2⤵PID:396
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\syscheck.exe"2⤵PID:2464
-
C:\Users\Admin\AppData\Local\syscheck.exe"C:\Users\Admin\AppData\Local\syscheck.exe"3⤵PID:4396
-
C:\Users\Admin\AppData\Local\syscheck.exe"C:\Users\Admin\AppData\Local\syscheck.exe"4⤵PID:2988
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 1845⤵
- Program crash
PID:2500
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2988 -ip 29881⤵PID:1472
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2828-11-0x00000000743C0000-0x0000000074B70000-memory.dmpFilesize
7.7MB
-
memory/2828-5-0x0000000004E80000-0x0000000004E90000-memory.dmpFilesize
64KB
-
memory/2828-4-0x0000000004CB0000-0x0000000004CCC000-memory.dmpFilesize
112KB
-
memory/2828-3-0x0000000004D40000-0x0000000004DD2000-memory.dmpFilesize
584KB
-
memory/2828-2-0x00000000052F0000-0x0000000005894000-memory.dmpFilesize
5.6MB
-
memory/2828-0-0x00000000003B0000-0x000000000042E000-memory.dmpFilesize
504KB
-
memory/2828-8-0x00000000743C0000-0x0000000074B70000-memory.dmpFilesize
7.7MB
-
memory/2828-9-0x0000000004E80000-0x0000000004E90000-memory.dmpFilesize
64KB
-
memory/2828-1-0x00000000743C0000-0x0000000074B70000-memory.dmpFilesize
7.7MB
-
memory/2988-22-0x00000000003D0000-0x00000000003FA000-memory.dmpFilesize
168KB
-
memory/4396-15-0x00000000743C0000-0x0000000074B70000-memory.dmpFilesize
7.7MB
-
memory/4396-17-0x00000000743C0000-0x0000000074B70000-memory.dmpFilesize
7.7MB
-
memory/4396-18-0x00000000050A0000-0x00000000050B0000-memory.dmpFilesize
64KB
-
memory/4396-19-0x0000000006060000-0x00000000060FC000-memory.dmpFilesize
624KB
-
memory/4396-25-0x00000000743C0000-0x0000000074B70000-memory.dmpFilesize
7.7MB
-
memory/4396-16-0x00000000050A0000-0x00000000050B0000-memory.dmpFilesize
64KB