4179ef5a560e945506220ecc88f1b1b405bfef96a307694a6cad328a8760bdd8

Analysis

max time kernel
142s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2024, 08:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

55f14b2201af3d9b928eeedf200e321b.exe
Size

537KB
MD5

55f14b2201af3d9b928eeedf200e321b
SHA1

bedecf7e7ad0a089aeea3d8a7d33ecce8da0f54e
SHA256

4179ef5a560e945506220ecc88f1b1b405bfef96a307694a6cad328a8760bdd8
SHA512

38d72123feb173bf0d7d082172c8674808b6ab38d00074dd88ee4ea1cba31cd4219e220c3b4ce0066eaeff0294185449a8c8077d3e4c84b96113a393fbacd008
SSDEEP

12288:LoIRwgxVeseoy5+wHbUUXdrrn9HQo30veSBiQPp4kv8jZ:kIRwgxVheRRbUjRGELPpFUl

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2640	EntMian.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\EntMian.exe	55f14b2201af3d9b928eeedf200e321b.exe
File opened for modification	C:\Windows\EntMian.exe	55f14b2201af3d9b928eeedf200e321b.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2112	5056	WerFault.exe	16
2632	2640	WerFault.exe	80

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	EntMian.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	EntMian.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	EntMian.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	EntMian.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	EntMian.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5056	55f14b2201af3d9b928eeedf200e321b.exe
Token: SeDebugPrivilege	2640	EntMian.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2640	EntMian.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2364	2640	EntMian.exe	92
PID 2640 wrote to memory of 2364	2640	EntMian.exe	92

C:\Users\Admin\AppData\Local\Temp\55f14b2201af3d9b928eeedf200e321b.exe
"C:\Users\Admin\AppData\Local\Temp\55f14b2201af3d9b928eeedf200e321b.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 324
  2⤵
  - Program crash
  PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5056 -ip 5056
1⤵
PID:2384

C:\Windows\EntMian.exe
C:\Windows\EntMian.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 320
  2⤵
  - Program crash
  PID:2632
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2640 -ip 2640
1⤵
PID:2604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2640-24-0x00000000015D0000-0x00000000016D0000-memory.dmp

Filesize
1024KB

Download
memory/2640-38-0x00000000015D0000-0x00000000016D0000-memory.dmp

Filesize
1024KB

Download
memory/2640-39-0x00000000015D0000-0x00000000016D0000-memory.dmp

Filesize
1024KB

Download
memory/2640-40-0x00000000015D0000-0x00000000016D0000-memory.dmp

Filesize
1024KB

Download
memory/2640-42-0x00000000015D0000-0x00000000016D0000-memory.dmp

Filesize
1024KB

Download
memory/2640-43-0x00000000015D0000-0x00000000016D0000-memory.dmp

Filesize
1024KB

Download
memory/2640-41-0x00000000015D0000-0x00000000016D0000-memory.dmp

Filesize
1024KB

Download
memory/2640-37-0x00000000015D0000-0x00000000016D0000-memory.dmp

Filesize
1024KB

Download
memory/2640-36-0x00000000015D0000-0x00000000016D0000-memory.dmp

Filesize
1024KB

Download
memory/2640-35-0x0000000000400000-0x0000000000505200-memory.dmp

Filesize
1.0MB

Download
memory/2640-27-0x00000000015D0000-0x00000000016D0000-memory.dmp

Filesize
1024KB

Download
memory/2640-25-0x00000000015D0000-0x00000000016D0000-memory.dmp

Filesize
1024KB

Download
memory/2640-26-0x00000000015D0000-0x00000000016D0000-memory.dmp

Filesize
1024KB

Download
memory/2640-28-0x00000000015D0000-0x00000000016D0000-memory.dmp

Filesize
1024KB

Download
memory/2640-29-0x00000000015D0000-0x00000000016D0000-memory.dmp

Filesize
1024KB

Download
memory/2640-30-0x00000000015D0000-0x00000000016D0000-memory.dmp

Filesize
1024KB

Download
memory/2640-31-0x00000000015D0000-0x00000000016D0000-memory.dmp

Filesize
1024KB

Download
memory/2640-32-0x00000000012F0000-0x00000000012F1000-memory.dmp

Filesize
4KB

Download
memory/2640-22-0x0000000000400000-0x0000000000505200-memory.dmp

Filesize
1.0MB

Download
memory/2640-23-0x00000000009F0000-0x0000000000A3B000-memory.dmp

Filesize
300KB

Download
memory/5056-13-0x0000000002920000-0x000000000293B000-memory.dmp

Filesize
108KB

Download
memory/5056-2-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/5056-3-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/5056-8-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/5056-5-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/5056-10-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/5056-12-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/5056-11-0x0000000002920000-0x000000000293B000-memory.dmp

Filesize
108KB

Download
memory/5056-0-0x0000000000400000-0x0000000000505200-memory.dmp

Filesize
1.0MB

Download
memory/5056-34-0x00000000009D0000-0x0000000000A1B000-memory.dmp

Filesize
300KB

Download
memory/5056-33-0x0000000000400000-0x0000000000505200-memory.dmp

Filesize
1.0MB

Download
memory/5056-14-0x0000000002920000-0x000000000293B000-memory.dmp

Filesize
108KB

Download
memory/5056-15-0x0000000002920000-0x000000000293B000-memory.dmp

Filesize
108KB

Download
memory/5056-16-0x0000000002920000-0x000000000293B000-memory.dmp

Filesize
108KB

Download
memory/5056-18-0x0000000002920000-0x000000000293B000-memory.dmp

Filesize
108KB

Download
memory/5056-19-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/5056-17-0x0000000002920000-0x000000000293B000-memory.dmp

Filesize
108KB

Download
memory/5056-9-0x0000000002920000-0x000000000293B000-memory.dmp

Filesize
108KB

Download
memory/5056-4-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/5056-1-0x00000000009D0000-0x0000000000A1B000-memory.dmp

Filesize
300KB

Download