14e9f6b17758c84db9a2cc42f99ee091de58922a796c343cff0f5ed3d3cd8835

Analysis

max time kernel
5s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2024 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35212d6256a04fc5e0ece3985f15396b.exe
Size

150KB
MD5

35212d6256a04fc5e0ece3985f15396b
SHA1

cec766f69d2bbfa0260c7ad3ddb2ac131f193e8e
SHA256

14e9f6b17758c84db9a2cc42f99ee091de58922a796c343cff0f5ed3d3cd8835
SHA512

19be7faa18081be4c44050a54d26ea662dae8220f0ab093a5dd659ba4ccab37ff57a221155bb7ab3a841d23ef5859b67ebbfda497d620565dd9eff8bc7347f93
SSDEEP

3072:/VhUTNt0TSmLGkhjKXFvIGk6H0ydpZTr5iSTNL9cEVz3CiODcRwZV:dkt0TSZkhWVvI+UupZTr5iSVrLmck

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1956	ind4287.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3580	1956	WerFault.exe	48

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4816	35212d6256a04fc5e0ece3985f15396b.exe
4816	35212d6256a04fc5e0ece3985f15396b.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 1956	4816	35212d6256a04fc5e0ece3985f15396b.exe	48
PID 4816 wrote to memory of 1956	4816	35212d6256a04fc5e0ece3985f15396b.exe	48
PID 4816 wrote to memory of 1956	4816	35212d6256a04fc5e0ece3985f15396b.exe	48

C:\Users\Admin\AppData\Local\Temp\35212d6256a04fc5e0ece3985f15396b.exe
"C:\Users\Admin\AppData\Local\Temp\35212d6256a04fc5e0ece3985f15396b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Users\Admin\AppData\Local\Temp\ind4287.tmp
  C:\Users\Admin\AppData\Local\Temp\ind4287.tmp
  2⤵
  - Executes dropped EXE
  PID:1956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 256
    3⤵
    - Program crash
    PID:3580
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\INS534~1.INI /quiet
  2⤵
  PID:3956
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\35212D~1.EXE > nul
  2⤵
  PID:3624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
  2⤵
  PID:4048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1956 -ip 1956
1⤵
PID:744

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3132
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C4CAF4AB634819F2515CB09CE10D6E95
  2⤵
  PID:5064

C:\Users\Admin\AppData\Local\Temp\inl56AD.tmp
C:\Users\Admin\AppData\Local\Temp\inl56AD.tmp cdf1912.tmp
1⤵
PID:400
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl56AD.tmp > nul
  2⤵
  PID:2764

C:\Windows\SysWOW64\expand.exe
expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
1⤵
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57570c.rbs

Filesize
8KB

MD5
b4385a982db7557a6b4b2317b051168e

SHA1
df5980da81f62bbc8ee936b740db8edd9b6fca32

SHA256
f65e05e77135747f3bc82b4e40fa4be81bc3074bf0839b166348f9ba57569984

SHA512
5a834269e93bcbe8999bd5424f4f84a0f9a72e984e8f5a4f01fed3a890f3ba9f0612ed1d5026924e683c6dd93659400592e81d23783bd706b5096ebc2b980966

Download Submit
C:\Users\Admin\AppData\Local\Temp\INS534~1.INI

Filesize
66KB

MD5
d217b6cea5884d1b0a0d97da10a5a798

SHA1
8696e67cdf29d64875a8654309060d38f80ac642

SHA256
371057791a9d858f1e1a77fbda28bfc7a95b08e6ad031cf342f3ba779d5756f6

SHA512
f5d3fda68d4bde44e07faed836374718a01f459ec0d47d79c3534b240d5369c48776d128adc513ad3786d9c994c262251dfec07aa041d391d4290466a7d0b2ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ind4287.tmp

Filesize
388KB

MD5
5e8cd93cd291515bd81fa37f62fbe7e5

SHA1
c31e3ba569e68b8f04511bcf3801124bf1b10ff8

SHA256
655ea68038e6e9e7c6045e9c2cd7e713f57480d0003f8549c310f70abad1a6d8

SHA512
0fa2953d53a06720abcfe08e8a9865e882820023bdf1a66cb840a21032bd6eb578dd08f642464b1f322d93e6828f4f0af8c80ca526fdb59ed5420f8315e2ef4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ind4287.tmp

Filesize
382KB

MD5
f77699757e6ad3d071c15c77a603949b

SHA1
3b3278215fc35f602004da0cfa5caa89dedb512c

SHA256
75c98e93351d97a680307267c1862b28513a9f36f9daa486526ede0ab40deaa1

SHA512
c4dce30fa0d19834b5430d709cddd9cf0d65bd735edd8641ac7ee8ad9caba3f2f08f4775545b9c0c979ec0c2e871930e23c7611b3c2e006b111bb993c5e2e5bf

Download Submit
memory/400-74-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1956-11-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1956-9-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1956-10-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/4816-1-0x00000000001A0000-0x00000000001A3000-memory.dmp

Filesize
12KB

Download
memory/4816-49-0x00000000001A0000-0x00000000001A3000-memory.dmp

Filesize
12KB

Download
memory/4816-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4816-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download