70b9b35e34c3a4ec1e946378c40e1d876920d638ec919ef2778e6047c1d5ad90

Analysis

max time kernel
75s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2024, 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50e75dc2d5ace8a5669e347ed32c10dd.exe
Size

384KB
MD5

50e75dc2d5ace8a5669e347ed32c10dd
SHA1

5e357ca218cf49f8b18c622ed77c59798ca23322
SHA256

70b9b35e34c3a4ec1e946378c40e1d876920d638ec919ef2778e6047c1d5ad90
SHA512

d0dc948471e976bfaf75be161a8283ee2fd49e2a48a90e87162e3477511631d27e27fd2740d0a5ee6ebb15995c0154e7b1216e3e57d38413f1d07b685bfe9754
SSDEEP

6144:G59TOwr3GP/cSHBWOySe1jCrCzvfAL0OT+dgW/CkVgAtAt:G50QWvHBWOyHCrYfAL0OS6+uA+

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1852	eO10400NlBiN10400.exe

Executes dropped EXE 1 IoCs

pid	Process
1852	eO10400NlBiN10400.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/636-6-0x0000000000400000-0x00000000004EE000-memory.dmp	upx
behavioral2/memory/636-13-0x0000000000400000-0x00000000004EE000-memory.dmp	upx
behavioral2/memory/1852-19-0x0000000000400000-0x00000000004EE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\eO10400NlBiN10400 = "C:\\ProgramData\\eO10400NlBiN10400\\eO10400NlBiN10400.exe"	eO10400NlBiN10400.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3248	636	WerFault.exe	18
3232	1852	WerFault.exe	62

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
636	50e75dc2d5ace8a5669e347ed32c10dd.exe
636	50e75dc2d5ace8a5669e347ed32c10dd.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	636	50e75dc2d5ace8a5669e347ed32c10dd.exe
Token: SeDebugPrivilege	1852	eO10400NlBiN10400.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1852	eO10400NlBiN10400.exe
1852	eO10400NlBiN10400.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 1852	636	50e75dc2d5ace8a5669e347ed32c10dd.exe	62
PID 636 wrote to memory of 1852	636	50e75dc2d5ace8a5669e347ed32c10dd.exe	62
PID 636 wrote to memory of 1852	636	50e75dc2d5ace8a5669e347ed32c10dd.exe	62

C:\Users\Admin\AppData\Local\Temp\50e75dc2d5ace8a5669e347ed32c10dd.exe
"C:\Users\Admin\AppData\Local\Temp\50e75dc2d5ace8a5669e347ed32c10dd.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 676
  2⤵
  - Program crash
  PID:3248
- C:\ProgramData\eO10400NlBiN10400\eO10400NlBiN10400.exe
  "C:\ProgramData\eO10400NlBiN10400\eO10400NlBiN10400.exe" "C:\Users\Admin\AppData\Local\Temp\50e75dc2d5ace8a5669e347ed32c10dd.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1852
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 668
    3⤵
    - Program crash
    PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 636 -ip 636
1⤵
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1852 -ip 1852
1⤵
PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\eO10400NlBiN10400\eO10400NlBiN10400.exe

Filesize
67KB

MD5
6d37b0ac3aad15696175c35da0c421c5

SHA1
05ed8d20a36ac9965e79c17fce9f82973a5f1f84

SHA256
401c49c862946dcae20e2f7370641daa4b93723971018fcde1a2383aa3734234

SHA512
c29b8ad04dabc4dc7fe9a54176fe89fca336a6b30e626e286f6635dbcc6906b1f11f04823c617c089c6361e932b46f1b2442dc567bacf81b0bd44e851d4c8e1d

Download Submit
C:\ProgramData\eO10400NlBiN10400\eO10400NlBiN10400.exe

Filesize
40KB

MD5
d8bf1966ab1f54f37a49d4031d1770fb

SHA1
b4e0ac7ef8408640350a5f850d016c0ea4d7ae71

SHA256
6ee877b9d4ec98149e4ab4853b987b382c3934bdaadda9d06ea8cd5e52c4e802

SHA512
e74d4fd281186c3f2ca1995b244dca78f2950a2546c4928c995755c2d69c33ec127d48f75df75bf3479d0c9663f85b5d3d5063911c7385aab2fc9331412a5071

Download Submit
memory/636-0-0x0000000002250000-0x0000000002252000-memory.dmp

Filesize
8KB

Download
memory/636-6-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/636-13-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/1852-19-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/1852-22-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/1852-29-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download