b5c7ccd5354e20fa244581b70a679d0a91f08c3634d09b9a8ffbf130258c30b6

Analysis

max time kernel
35s
max time network
18s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/01/2024, 09:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

vaultFile7494906008829096493.exe
Size

24.4MB
MD5

316213c6c37cd4a79f7391e228871bad
SHA1

112b5f4812e84cf98f476c041a99d462ec183c8f
SHA256

b5c7ccd5354e20fa244581b70a679d0a91f08c3634d09b9a8ffbf130258c30b6
SHA512

6bf74e2c7541c11de05d256779e7160aab8ea773587dd1e5620ec08268972c2eaf666ba89ff15a9be582268ea4e4116902f1869738057981c1c18ffd0ab6b1f3
SSDEEP

393216:OrohOyMjBoiDBsVz3CSwBLwCt+w+SbGgX2ndHeyDvxkJdydJgFqHJT/dT50HoXJa:co/RCSwBLdtySbG5d+YBdJgwZ/x6Is

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
2856	WerFault.exe
2856	WerFault.exe
2856	WerFault.exe
2856	WerFault.exe
2856	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2856	2184	WerFault.exe	27

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2760	2184	vaultFile7494906008829096493.exe	29
PID 2184 wrote to memory of 2760	2184	vaultFile7494906008829096493.exe	29
PID 2184 wrote to memory of 2760	2184	vaultFile7494906008829096493.exe	29
PID 2184 wrote to memory of 2760	2184	vaultFile7494906008829096493.exe	29
PID 2184 wrote to memory of 2856	2184	vaultFile7494906008829096493.exe	28
PID 2184 wrote to memory of 2856	2184	vaultFile7494906008829096493.exe	28
PID 2184 wrote to memory of 2856	2184	vaultFile7494906008829096493.exe	28
PID 2184 wrote to memory of 2856	2184	vaultFile7494906008829096493.exe	28

C:\Users\Admin\AppData\Local\Temp\vaultFile7494906008829096493.exe
"C:\Users\Admin\AppData\Local\Temp\vaultFile7494906008829096493.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 272
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:2856
- C:\Windows\system32\reg.exe
  "C:\Windows\Sysnative\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f
  2⤵
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\vaultFile7494906008829096493.exe

Filesize
752KB

MD5
546b05d2cd2a771b02538df6c2d5773a

SHA1
f49850a2484342a7ac5268e94d9a3c799ff7e942

SHA256
8c546b9926d77ca41716356db4caecf339176d5ddf8609ce8f688bd5cdd06d0a

SHA512
9703e642de4d07fab416c3f8b0409a65c8755b412564c7a819f34f150a271a8d084eb2b1301716f707bc2291f2eaded92eef1069ca3affc0376bc79e2b689ec4

Download Submit
\Users\Admin\AppData\Local\Temp\vaultFile7494906008829096493.exe

Filesize
470KB

MD5
263dac25a50d8e93042999eeb36946f9

SHA1
242e3e5e13e554e3e35b999597213c24bad54bb7

SHA256
e4e4e959126f20de6aec47e23f4074d855dc14a9d62c9707330c855e96854ba7

SHA512
e09c6732bf5f2f96d867e5376f32f80754c4ed31076147a4980963d81edc0e6b6cf2ad6147b0e02ff6dabf36a322a54307a9d5d6c667520e893a884219988661

Download Submit
\Users\Admin\AppData\Local\Temp\vaultFile7494906008829096493.exe

Filesize
490KB

MD5
fbc9cdf7b5d93e7d70c6ac52c96b68a6

SHA1
0cff1da9a5abc3eb23206bff2e7221935f0170d5

SHA256
f41207f7c41a5799cf9e5eaed69ede43df72378d55fd390ad99a0469a516ed08

SHA512
8e2aca5d8c711dcee29f4cabc8ceb518fb66fe6ec19ecd81a5ae90b6196c7acf075f78e45741d6c0b42641da624b299ad37db2cd6c94b54e0ca356da6aaabc16

Download Submit
\Users\Admin\AppData\Local\Temp\vaultFile7494906008829096493.exe

Filesize
364KB

MD5
929a59a7e203212a5b1f2345a2af4237

SHA1
360e62adaa2056f4b24a039b4462185ad51a5f38

SHA256
ed5c9c8acb6bfca59d89cb7fc1a2b649592386f7538b3ffe7c84a3c93cb5aa9c

SHA512
871858c68bd3c54af17985e8bdcc8c36b59ba9551684f20cb988bacc09af635064bc4cc3fd69cbc11b7ade85c87972c83cc8e0a709f02a3b38ff3529fc8cccf5

Download Submit
\Users\Admin\AppData\Local\Temp\vaultFile7494906008829096493.exe

Filesize
937KB

MD5
b05b09a9c930d49300edf59f88276382

SHA1
209177d2660d7a4848af68d9de0ca80a22b92cb7

SHA256
20e1afbd001569968e88ba5260397023adb239e23a2e2c44149f81278bcb26cf

SHA512
a96cbcd7b863b9510b460a9ac4ba6e89f0b0e85e215d759e0b204812d86c0bbf1e09f71c4dfa235ca32e81e9b275f17507453fe49f21beb6b48a61ae5fe90f76

Download Submit