6ae158ddde4d5ec87264301b1813f501ebc9fd432f8eee8545ea8cf188ce1178

Analysis

max time kernel
175s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ced7d5c30e556cb5fca70d262d8752c.exe
Size

417KB
MD5

3ced7d5c30e556cb5fca70d262d8752c
SHA1

4fda406334dbe15520b6f141a54dc60090dcb98f
SHA256

6ae158ddde4d5ec87264301b1813f501ebc9fd432f8eee8545ea8cf188ce1178
SHA512

b8ce0f526785d2d55d0cc4c3395edc861f57cb3cdaa605b24e19155ad3384dff98ad164df6ad9cf521b2a63a66b9c5e5ea93dddf3be6e9cd02d7d9e743cee8ce
SSDEEP

6144:u97+l2eJi5/Z+cDymEDPyHJ3EJxTZGI4VvRhWXnR/OYndS8rLkwxofZ89vos+mTx:ehec5/uTuylZGFVvHW3AedRrLk7dsv7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2616	server.exe
2648	aim6.exe

Loads dropped DLL 8 IoCs

pid	Process
2736	3ced7d5c30e556cb5fca70d262d8752c.exe
2736	3ced7d5c30e556cb5fca70d262d8752c.exe
2736	3ced7d5c30e556cb5fca70d262d8752c.exe
2736	3ced7d5c30e556cb5fca70d262d8752c.exe
748	WerFault.exe
748	WerFault.exe
748	WerFault.exe
748	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
748	2616	WerFault.exe	27

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2616	2736	3ced7d5c30e556cb5fca70d262d8752c.exe	27
PID 2736 wrote to memory of 2616	2736	3ced7d5c30e556cb5fca70d262d8752c.exe	27
PID 2736 wrote to memory of 2616	2736	3ced7d5c30e556cb5fca70d262d8752c.exe	27
PID 2736 wrote to memory of 2616	2736	3ced7d5c30e556cb5fca70d262d8752c.exe	27
PID 2736 wrote to memory of 2648	2736	3ced7d5c30e556cb5fca70d262d8752c.exe	28
PID 2736 wrote to memory of 2648	2736	3ced7d5c30e556cb5fca70d262d8752c.exe	28
PID 2736 wrote to memory of 2648	2736	3ced7d5c30e556cb5fca70d262d8752c.exe	28
PID 2736 wrote to memory of 2648	2736	3ced7d5c30e556cb5fca70d262d8752c.exe	28
PID 2616 wrote to memory of 748	2616	server.exe	29
PID 2616 wrote to memory of 748	2616	server.exe	29
PID 2616 wrote to memory of 748	2616	server.exe	29
PID 2616 wrote to memory of 748	2616	server.exe	29

C:\Users\Admin\AppData\Local\Temp\3ced7d5c30e556cb5fca70d262d8752c.exe
"C:\Users\Admin\AppData\Local\Temp\3ced7d5c30e556cb5fca70d262d8752c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 44
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:748
- C:\Users\Admin\AppData\Local\Temp\aim6.exe
  "C:\Users\Admin\AppData\Local\Temp\aim6.exe"
  2⤵
  - Executes dropped EXE
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aim6.exe

Filesize
49KB

MD5
d133e4b1f2265e46df2ccfdc9afb594b

SHA1
01fb12d245b09cbb114e9f07b45c9655c8d6a537

SHA256
1be806aff99f1d3ccb121fbb1204e4525ee74cff3078c4e9e22e72d415b8ef95

SHA512
eb06c781a7e5a2f02c39d6ed5ae53680c3a83281e3a80e597c4260b99861414395475c568a67e6b5d9d9d8a91a34510f0ee52c406fdbb4970ce39eb48b01b80f

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
350KB

MD5
959bbaa8b95fbcf1dd88ac4dfe15d5d9

SHA1
5b6b6e78b9b4b1988898ef2500b5cd51323f0a0e

SHA256
f9bcc087f86418c2fa4ae3afa21c1c694d83ee45bd873cdf26b1b1ba54fce215

SHA512
178c70b5a41975beec401e865fd4c810236226e9285d13d47df3689718e85b5122932c2d4ae7a3c9f8880417e87b45888442b36fe35894ab924313624fa56bae

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
321KB

MD5
7522829d705df069dcd86bc32ca9681e

SHA1
062ec5629f571df0d393cb2e50cdd20c3199c4ef

SHA256
7d27ef77f165578feb7a942471c023800d5123ad5f14671d281df56f8aebc66f

SHA512
f987b43a7406cb1611ef24a24862ef4806672af3cb1c3b66e8212ff96f5ad39c527ed91864873b5c6a782b0f4fe58f8d3e5672836f2e9ea3f562e01500ce9bce

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
95KB

MD5
adcd7dd6b0ea42cd1c1c9a2603d53b67

SHA1
d779a539cbca4cb9c2274e370e96d3abbe382545

SHA256
b15b2144fc1167bed2f61a183082ac8735c622ace196b0a7b830d4d0021cc431

SHA512
f83b9cbbb1e6653c0ad6da7632997d65ddc0cfd42d2bbae9aee89dfb23a62b58d0f0ab09b7b7732cbc8eee2949f218835e927b581d7cf46e6fc5357d354fb279

Download Submit
memory/2616-13-0x0000000000400000-0x00000000005FE000-memory.dmp

Filesize
2.0MB

Download
memory/2736-4-0x00000000028B0000-0x0000000002AAE000-memory.dmp

Filesize
2.0MB

Download
memory/2736-5-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2736-20-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download