182216de89837e3f7df75a9adb5c33558afcf7012cdb6cceee94bf9a50801ac9

Analysis

max time kernel
15s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2024, 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

510ed1754e4a7d1ed80d4d51221682ab.exe
Size

2.0MB
MD5

510ed1754e4a7d1ed80d4d51221682ab
SHA1

bb9dc51be8896b7fdd09a73fc5dcb0400a54d4ae
SHA256

182216de89837e3f7df75a9adb5c33558afcf7012cdb6cceee94bf9a50801ac9
SHA512

8042528bc288e227c5e447bb2d36753807d9d89ac237866722a93a396dddab9e3537ea1a25283a1ecdff7a8b4825d8d2dc51c59775d617451ce474fa9441e395
SSDEEP

49152:jTsZsOD9+WnY4iL1vJSDEuW4/rgo3hLIUgHcCdVG88qBmXBQ2sbg4MXT24/rgo3r:P7OD4WnY4ihvJSDEgrg0IJH/d0FamXBV

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4804	510ed1754e4a7d1ed80d4d51221682ab.exe

Executes dropped EXE 1 IoCs

pid	Process
4804	510ed1754e4a7d1ed80d4d51221682ab.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4036-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/memory/4804-14-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 18 IoCs

pid	pid_target	Process	procid_target
2232	4804	WerFault.exe
2188	4804	WerFault.exe	29
1912	4804	WerFault.exe	29
1516	4804	WerFault.exe	29
2656	4804	WerFault.exe	29
636	4804	WerFault.exe	29
4292	4804	WerFault.exe	29
1552	4804	WerFault.exe	29
1956	4804	WerFault.exe	29
1676	4804	WerFault.exe	29
1056	4804	WerFault.exe	29
3184	4804	WerFault.exe	29
1916	4804	WerFault.exe	29
1972	4804	WerFault.exe	29
4052	4804	WerFault.exe	29
3788	4804	WerFault.exe	29
1880	4804	WerFault.exe	29
1088	4804	WerFault.exe	29

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4720	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4036	510ed1754e4a7d1ed80d4d51221682ab.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4036	510ed1754e4a7d1ed80d4d51221682ab.exe
4804	510ed1754e4a7d1ed80d4d51221682ab.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 4804	4036	510ed1754e4a7d1ed80d4d51221682ab.exe	29
PID 4036 wrote to memory of 4804	4036	510ed1754e4a7d1ed80d4d51221682ab.exe	29
PID 4036 wrote to memory of 4804	4036	510ed1754e4a7d1ed80d4d51221682ab.exe	29
PID 4804 wrote to memory of 4720	4804	510ed1754e4a7d1ed80d4d51221682ab.exe	28
PID 4804 wrote to memory of 4720	4804	510ed1754e4a7d1ed80d4d51221682ab.exe	28
PID 4804 wrote to memory of 4720	4804	510ed1754e4a7d1ed80d4d51221682ab.exe	28
PID 4804 wrote to memory of 3140	4804	510ed1754e4a7d1ed80d4d51221682ab.exe	27
PID 4804 wrote to memory of 3140	4804	510ed1754e4a7d1ed80d4d51221682ab.exe	27
PID 4804 wrote to memory of 3140	4804	510ed1754e4a7d1ed80d4d51221682ab.exe	27
PID 3140 wrote to memory of 4360	3140	cmd.exe	126
PID 3140 wrote to memory of 4360	3140	cmd.exe	126
PID 3140 wrote to memory of 4360	3140	cmd.exe	126

C:\Users\Admin\AppData\Local\Temp\510ed1754e4a7d1ed80d4d51221682ab.exe
"C:\Users\Admin\AppData\Local\Temp\510ed1754e4a7d1ed80d4d51221682ab.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Users\Admin\AppData\Local\Temp\510ed1754e4a7d1ed80d4d51221682ab.exe
  C:\Users\Admin\AppData\Local\Temp\510ed1754e4a7d1ed80d4d51221682ab.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 632
    3⤵
    - Program crash
    PID:2188
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 640
    3⤵
    - Program crash
    PID:1912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 740
    3⤵
    - Program crash
    PID:1516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 636
    3⤵
    - Program crash
    PID:2656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 752
    3⤵
    - Program crash
    PID:636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1468
    3⤵
    - Program crash
    PID:4292
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1920
    3⤵
    - Program crash
    PID:1552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 2144
    3⤵
    - Program crash
    PID:1956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 2104
    3⤵
    - Program crash
    PID:1676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1956
    3⤵
    - Program crash
    PID:1056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1924
    3⤵
    - Program crash
    PID:3184
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1984
    3⤵
    - Program crash
    PID:1916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1928
    3⤵
    - Program crash
    PID:1972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1968
    3⤵
    - Program crash
    PID:4052
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1920
    3⤵
    - Program crash
    PID:3788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 2160
    3⤵
    - Program crash
    PID:1880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 628
    3⤵
    - Program crash
    PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4804 -ip 4804
1⤵
PID:2692

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN 0Su7L8S745c1
1⤵
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 612
1⤵
- Program crash
PID:2232

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c schtasks.exe /Query /XML /TN 0Su7L8S745c1 > C:\Users\Admin\AppData\Local\Temp\Pi7fX.xml
1⤵
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\510ed1754e4a7d1ed80d4d51221682ab.exe" /TN 0Su7L8S745c1 /F
1⤵
- Creates scheduled task(s)
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4804 -ip 4804
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4804 -ip 4804
1⤵
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4804 -ip 4804
1⤵
PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4804 -ip 4804
1⤵
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4804 -ip 4804
1⤵
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4804 -ip 4804
1⤵
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4804 -ip 4804
1⤵
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4804 -ip 4804
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4804 -ip 4804
1⤵
PID:920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4804 -ip 4804
1⤵
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4804 -ip 4804
1⤵
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4804 -ip 4804
1⤵
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4804 -ip 4804
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4804 -ip 4804
1⤵
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4804 -ip 4804
1⤵
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4804 -ip 4804
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4804 -ip 4804
1⤵
PID:3372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4036-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/4036-2-0x00000000018C0000-0x000000000193E000-memory.dmp

Filesize
504KB

Download
memory/4036-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4036-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4804-17-0x0000000001730000-0x00000000017AE000-memory.dmp

Filesize
504KB

Download
memory/4804-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4804-22-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/4804-14-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/4804-37-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads