96040b9ce66777ae794307e10aab36b48e39b8392c13a1b6a5434640a959cb73

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2024, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

595fba9869aabb57ce1eda59c6504a3a.exe
Size

729KB
MD5

595fba9869aabb57ce1eda59c6504a3a
SHA1

53d82b4df3c4537c71099e00a367b940a05d792e
SHA256

96040b9ce66777ae794307e10aab36b48e39b8392c13a1b6a5434640a959cb73
SHA512

820920b5fa5eae0d0d6fda557611e80c85be4245bad0939c6dc8f3f8adc51f19ae0415bdad0418017b9450ebb7bc53d1161bc65705bdf271c555ef39a2dd139d
SSDEEP

12288:CfbAKlys908EZrdVOaUy2Uq5k0y98mqeJF3Z4mxxnDqVTVOCTjf:CfbA7sodVOEbnqYQmX2VTz3

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1920	login.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1920 set thread context of 4552	1920	login.exe	92

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\login.exe	595fba9869aabb57ce1eda59c6504a3a.exe
File created	C:\Program Files (x86)\login.exe	595fba9869aabb57ce1eda59c6504a3a.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\UNINSTAL.BAT	595fba9869aabb57ce1eda59c6504a3a.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1976	4552	WerFault.exe	92
4076	3684	WerFault.exe	60

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3684	595fba9869aabb57ce1eda59c6504a3a.exe
Token: SeDebugPrivilege	1920	login.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 4552	1920	login.exe	92
PID 1920 wrote to memory of 4552	1920	login.exe	92
PID 1920 wrote to memory of 4552	1920	login.exe	92
PID 1920 wrote to memory of 4552	1920	login.exe	92
PID 1920 wrote to memory of 4552	1920	login.exe	92
PID 3684 wrote to memory of 980	3684	595fba9869aabb57ce1eda59c6504a3a.exe	98
PID 3684 wrote to memory of 980	3684	595fba9869aabb57ce1eda59c6504a3a.exe	98
PID 3684 wrote to memory of 980	3684	595fba9869aabb57ce1eda59c6504a3a.exe	98

C:\Users\Admin\AppData\Local\Temp\595fba9869aabb57ce1eda59c6504a3a.exe
"C:\Users\Admin\AppData\Local\Temp\595fba9869aabb57ce1eda59c6504a3a.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 672
  2⤵
  - Program crash
  PID:4076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\UNINSTAL.BAT
  2⤵
  PID:980

C:\Program Files (x86)\login.exe
"C:\Program Files (x86)\login.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920
- C:\WINDOWS\SysWOW64\svchost.exe
  C:\WINDOWS\system32\svchost.exe
  2⤵
  PID:4552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 12
    3⤵
    - Program crash
    PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4552 -ip 4552
1⤵
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3684 -ip 3684
1⤵
PID:2476

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\login.exe

Filesize
107KB

MD5
9a47f4ed3e6665b2b3313fe34bdc2da7

SHA1
c23e3fe9b311bf43c9408143e84084330ae46888

SHA256
93a281216bf43641f40b862584d83580ab5f6ef76955ef31efdc1cadfae1970a

SHA512
4739cd739f63c2d20cfa59dcdf1954b6857f28dd9d30dc7c068d8871a4251583b116b972f74e48f3d482f920cb9d3f6ebb0c4bb09e913f9403605c489c83e5b0

Download Submit
C:\Program Files (x86)\login.exe

Filesize
11KB

MD5
2beb25d71344bc3f6bca7699389fcf95

SHA1
fb03fca62488f90c22519015db842663b6948e93

SHA256
83c0b15fbfeca4ba0d2966e3de37f9b7e8b964fc59c11208912d3afcdb26c44a

SHA512
1c22fae42377f9c23d0afb33f14555634b2125fab4ae1775256f05a4f81653560daa4f0d9d3148dea2518b2839dc5e8fe1ed1fde5a3d6bf59ab52410fcfc16d8

Download Submit
C:\Windows\UNINSTAL.BAT

Filesize
186B

MD5
587384462d0b78d4fcc371ec53019c26

SHA1
e02c46208e6b5e43c6d58457c84354225310a318

SHA256
3aaeb74f67b2e5bf78392cd043ce9d2ed82ecb304e49827dfc72ee2822bbb482

SHA512
4c6c9704fe95c41c7dc7f3326fbc133d22666dbf7c2467d59b22c9b508a94c0ebac7a25ff70649e7c9d9ef0c3a0e1c81b214e6fb15bb2b0ad7c51d0374a0c906

Download Submit
memory/3684-0-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/3684-1-0x0000000000B60000-0x0000000000BB4000-memory.dmp

Filesize
336KB

Download
memory/3684-5-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/3684-12-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-19-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-21-0x0000000003600000-0x0000000003601000-memory.dmp

Filesize
4KB

Download
memory/3684-27-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-30-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-33-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-37-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-39-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-38-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-36-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-35-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-42-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-49-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-53-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-58-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-61-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-63-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-65-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-64-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-62-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-60-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-59-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-57-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-56-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-55-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-54-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-52-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-51-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-50-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-48-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-47-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-46-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-45-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-44-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-43-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-41-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-40-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-34-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-31-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-32-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-29-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-28-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-26-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-25-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-24-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-23-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-22-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-20-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-18-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-17-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-16-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-15-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-11-0x0000000003500000-0x0000000003600000-memory.dmp

Filesize
1024KB

Download
memory/3684-10-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/3684-9-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/3684-8-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/3684-7-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/3684-6-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/3684-4-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/3684-3-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/3684-2-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/3684-120-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/4552-73-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download