96505bdda828a2456a9a0c8a26596a612bdff2c3f6812924f5b38c8c8a9744d3

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 02:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

643fb761d29bcfd866c3afd2101ffc0c.exe
Size

219KB
MD5

643fb761d29bcfd866c3afd2101ffc0c
SHA1

fe28e1aacb56dce87476a5701141ef37ff5eee40
SHA256

96505bdda828a2456a9a0c8a26596a612bdff2c3f6812924f5b38c8c8a9744d3
SHA512

ea7c04560b65107c720fd6d4ab78af67724062e08ad3e3f6fa5940e4998544d64340f14e1e7c90cbdccda8321c147ccd209521f1e37cffde9a6c0271e9e6e485
SSDEEP

6144:LjUtxynBCBwZj4vE9dkIDcpkW5x/BUD/tE:HUTwBCBoAff5UDlE

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1308	carss.exe

Loads dropped DLL 1 IoCs

pid	Process
1308	carss.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\wi240601203nd.temp	643fb761d29bcfd866c3afd2101ffc0c.exe
File created	C:\Program Files\Internet Explorer\carss.exe	643fb761d29bcfd866c3afd2101ffc0c.exe
File opened for modification	C:\Program Files\Internet Explorer\carss.exe	643fb761d29bcfd866c3afd2101ffc0c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2908	643fb761d29bcfd866c3afd2101ffc0c.exe
2908	643fb761d29bcfd866c3afd2101ffc0c.exe
2908	643fb761d29bcfd866c3afd2101ffc0c.exe
2908	643fb761d29bcfd866c3afd2101ffc0c.exe
2908	643fb761d29bcfd866c3afd2101ffc0c.exe
2908	643fb761d29bcfd866c3afd2101ffc0c.exe
2908	643fb761d29bcfd866c3afd2101ffc0c.exe
2908	643fb761d29bcfd866c3afd2101ffc0c.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe
1308	carss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	3964	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 1308	2908	643fb761d29bcfd866c3afd2101ffc0c.exe	88
PID 2908 wrote to memory of 1308	2908	643fb761d29bcfd866c3afd2101ffc0c.exe	88
PID 2908 wrote to memory of 1308	2908	643fb761d29bcfd866c3afd2101ffc0c.exe	88

C:\Users\Admin\AppData\Local\Temp\643fb761d29bcfd866c3afd2101ffc0c.exe
"C:\Users\Admin\AppData\Local\Temp\643fb761d29bcfd866c3afd2101ffc0c.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Program Files\Internet Explorer\carss.exe
  "C:\Program Files\Internet Explorer\carss.exe" C:\WINDOWS\Temp\hx107.tmp CodeMain
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1308

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3964

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Internet Explorer\carss.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\WINDOWS\Temp\hx107.tmp

Filesize
6.8MB

MD5
c09265cd95c41e1493be39c78ac06f88

SHA1
4dfc786e1033592df5e4632e1b12f492339cc75d

SHA256
6a47dc24f39dcc89637ea45466d14d365a1010f877765f1268398a1909037f28

SHA512
8d897391bdb3b12559075301f722fb728ca2784a125bd7b6b1d28cd84dd85db9401c665162e51858591a3edf601ab7ccd66f5800183ea8a5c24ae0eba63e51e9

Download Submit
C:\Windows\Temp\hx107.tmp

Filesize
8.0MB

MD5
28a69c4865461f94cb3676abce6fc1d0

SHA1
63fba7b76d6ff2fd923078b721ff56ef6a28a982

SHA256
a233c40c98089d1ecf121cc7927add0a90db2064c94b2d08b012e085d856fd43

SHA512
fed12081bf6030bec92f9e2aad578de95907b3fa0a2aafdda857d2da9d29e495e4ae4ee2f26b24a07a3ff8227f341211af63742e870b441862c76dd573f92502

Download Submit
memory/2908-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2908-10-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3964-11-0x000002A712140000-0x000002A712150000-memory.dmp

Filesize
64KB

Download
memory/3964-27-0x000002A712240000-0x000002A712250000-memory.dmp

Filesize
64KB

Download
memory/3964-43-0x000002A71A5B0000-0x000002A71A5B1000-memory.dmp

Filesize
4KB

Download
memory/3964-45-0x000002A71A5E0000-0x000002A71A5E1000-memory.dmp

Filesize
4KB

Download
memory/3964-46-0x000002A71A5E0000-0x000002A71A5E1000-memory.dmp

Filesize
4KB

Download
memory/3964-47-0x000002A71A6F0000-0x000002A71A6F1000-memory.dmp

Filesize
4KB

Download