Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04-01-2024 22:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
42185387a28ac337a7de89eee98174f2.exe
Resource
win7-20231215-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
42185387a28ac337a7de89eee98174f2.exe
Resource
win10v2004-20231215-en
0 signatures
150 seconds
General
-
Target
42185387a28ac337a7de89eee98174f2.exe
-
Size
13KB
-
MD5
42185387a28ac337a7de89eee98174f2
-
SHA1
69b95a54c23a37953486e5bc2d221ee562a096a8
-
SHA256
3473cea449000e46e3496f325a1109014022d8c4858fdcd659d8e0d3398f74ad
-
SHA512
b4f743cbf272dc39d82dd296782e0e13257a73fedd03f584f1e333c5c6225620035a70491ede949f54e3abb562139f215707a0fa2b67854f12a796fec31b47cf
-
SSDEEP
384:tcNLGmTVtM/DyAw5ND1hLfOnPv5ig39/15Fd0ER03nYvT:mNLGQkw3D1dfOPv0g375T0ERxT
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
42185387a28ac337a7de89eee98174f2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RunOnce2Upd = "\"C:\\Windows\\system32\\KB_963493.exe\"" 42185387a28ac337a7de89eee98174f2.exe -
Drops file in Windows directory 3 IoCs
Processes:
42185387a28ac337a7de89eee98174f2.exedescription ioc process File created C:\Windows\system32RunOnce2.tm_ 42185387a28ac337a7de89eee98174f2.exe File created C:\Windows\system32RunOnce2.t__ 42185387a28ac337a7de89eee98174f2.exe File opened for modification C:\Windows\system32RunOnce2.tm_ 42185387a28ac337a7de89eee98174f2.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2720 2480 WerFault.exe 42185387a28ac337a7de89eee98174f2.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
42185387a28ac337a7de89eee98174f2.exepid process 2480 42185387a28ac337a7de89eee98174f2.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
42185387a28ac337a7de89eee98174f2.exedescription pid process target process PID 2480 wrote to memory of 2720 2480 42185387a28ac337a7de89eee98174f2.exe WerFault.exe PID 2480 wrote to memory of 2720 2480 42185387a28ac337a7de89eee98174f2.exe WerFault.exe PID 2480 wrote to memory of 2720 2480 42185387a28ac337a7de89eee98174f2.exe WerFault.exe PID 2480 wrote to memory of 2720 2480 42185387a28ac337a7de89eee98174f2.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\42185387a28ac337a7de89eee98174f2.exe"C:\Users\Admin\AppData\Local\Temp\42185387a28ac337a7de89eee98174f2.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 7522⤵
- Program crash