3473cea449000e46e3496f325a1109014022d8c4858fdcd659d8e0d3398f74ad

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04-01-2024 22:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42185387a28ac337a7de89eee98174f2.exe
Size

13KB
MD5

42185387a28ac337a7de89eee98174f2
SHA1

69b95a54c23a37953486e5bc2d221ee562a096a8
SHA256

3473cea449000e46e3496f325a1109014022d8c4858fdcd659d8e0d3398f74ad
SHA512

b4f743cbf272dc39d82dd296782e0e13257a73fedd03f584f1e333c5c6225620035a70491ede949f54e3abb562139f215707a0fa2b67854f12a796fec31b47cf
SSDEEP

384:tcNLGmTVtM/DyAw5ND1hLfOnPv5ig39/15Fd0ER03nYvT:mNLGQkw3D1dfOPv0g375T0ERxT

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

42185387a28ac337a7de89eee98174f2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RunOnce2Upd = "\"C:\\Windows\\system32\\KB_963493.exe\""	42185387a28ac337a7de89eee98174f2.exe

Drops file in Windows directory 3 IoCs

Processes:

42185387a28ac337a7de89eee98174f2.exe

description	ioc	process
File created	C:\Windows\system32RunOnce2.tm_	42185387a28ac337a7de89eee98174f2.exe
File created	C:\Windows\system32RunOnce2.t__	42185387a28ac337a7de89eee98174f2.exe
File opened for modification	C:\Windows\system32RunOnce2.tm_	42185387a28ac337a7de89eee98174f2.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2720 2480 WerFault.exe 42185387a28ac337a7de89eee98174f2.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

42185387a28ac337a7de89eee98174f2.exe

pid process

2480 42185387a28ac337a7de89eee98174f2.exe

pid	pid_target	process	target process
2720	2480	WerFault.exe	42185387a28ac337a7de89eee98174f2.exe

pid	process
2480	42185387a28ac337a7de89eee98174f2.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

42185387a28ac337a7de89eee98174f2.exe

description	pid	process	target process
PID 2480 wrote to memory of 2720	2480	42185387a28ac337a7de89eee98174f2.exe	WerFault.exe
PID 2480 wrote to memory of 2720	2480	42185387a28ac337a7de89eee98174f2.exe	WerFault.exe
PID 2480 wrote to memory of 2720	2480	42185387a28ac337a7de89eee98174f2.exe	WerFault.exe
PID 2480 wrote to memory of 2720	2480	42185387a28ac337a7de89eee98174f2.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\42185387a28ac337a7de89eee98174f2.exe
"C:\Users\Admin\AppData\Local\Temp\42185387a28ac337a7de89eee98174f2.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 752
2⤵
- Program crash
PID:2720

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads