a6dca37a3875494c9698eed58b39761b2dbd4df8db22ce270b4572c7272b5dd2 | Triage

Analysis

max time kernel
142s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/01/2024, 00:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

59c834958078755f6dc1268573a7bebe.exe
Size

32KB
MD5

59c834958078755f6dc1268573a7bebe
SHA1

175225422a020694f6156df53ee6a23260ab7ed8
SHA256

a6dca37a3875494c9698eed58b39761b2dbd4df8db22ce270b4572c7272b5dd2
SHA512

d550599778cd66e90c089761a1a32f9b2188f31cb649272587254bef2c9d7e7253b3fa516a3c886aa9d5c38e70e197b1a012b5ecb1489c30928f56002f13c041
SSDEEP

384:/TdAdDqmPyNDmngdRkt+9UuhxWiIY58MxZhAGOF3vJ:/mdeT9mBo91WpOxZh63vJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4532	rst.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\rst.exe	59c834958078755f6dc1268573a7bebe.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4372	4532	WerFault.exe	87

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2896	59c834958078755f6dc1268573a7bebe.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 4532	2896	59c834958078755f6dc1268573a7bebe.exe	87
PID 2896 wrote to memory of 4532	2896	59c834958078755f6dc1268573a7bebe.exe	87
PID 2896 wrote to memory of 4532	2896	59c834958078755f6dc1268573a7bebe.exe	87

C:\Users\Admin\AppData\Local\Temp\59c834958078755f6dc1268573a7bebe.exe
"C:\Users\Admin\AppData\Local\Temp\59c834958078755f6dc1268573a7bebe.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\SysWOW64\rst.exe
  C:\Windows\system32\rst.exe
  2⤵
  - Executes dropped EXE
  PID:4532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 496
    3⤵
    - Program crash
    PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4532 -ip 4532
1⤵
PID:1116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rst.exe

Filesize
8KB

MD5
bcd53a5ce66577bf59bf0d95d14fc782

SHA1
5a048bc33eb53a33f89cda67abb9316d5328f244

SHA256
61d870d64c0185267469c2ca2d8fe7621897ec2e5b93a0fdc8e1d7eb7595c4a5

SHA512
cf052fe4e57ffa348e8b70f3ec1179218d8eccabdc4a101570ae2bf5a1ae0e9f187dbffb44d133ce1c4ef10b34378b09cae8d87ae77b0bed41c80b173f3f6810

Download Submit