b009169a2965f738e64c5636ba9c38d8859e11b8b8d2c5d48869eac0da975085

Analysis

max time kernel
143s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

778efeeba34cb65c696d8054e2c1bd24.exe
Size

298KB
MD5

778efeeba34cb65c696d8054e2c1bd24
SHA1

4da1799c8d83cf93364699cb90f07242208f5794
SHA256

b009169a2965f738e64c5636ba9c38d8859e11b8b8d2c5d48869eac0da975085
SHA512

d0f027403e0e79fd302e7046a4e423ae4f12436b7c3fa3f65d57f7fdff37f68734a18cb00f915e82379029b51192edffe84b6b4b2bfbc8d2f3a5c33ee9860ff4
SSDEEP

6144:54lRkAehaKuqT+FjAgDR6VCjX34JKADBrk3dkJHq4b:5kWAehJuqTroWCbIJKark3SJHq4b

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2468	flash.exe
2708	flash.exe

Loads dropped DLL 7 IoCs

pid	Process
828	778efeeba34cb65c696d8054e2c1bd24.exe
828	778efeeba34cb65c696d8054e2c1bd24.exe
2468	flash.exe
764	WerFault.exe
764	WerFault.exe
764	WerFault.exe
764	WerFault.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2468 set thread context of 2708	2468	flash.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
764	2708	WerFault.exe	29

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2468	flash.exe
2468	flash.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 2468	828	778efeeba34cb65c696d8054e2c1bd24.exe	28
PID 828 wrote to memory of 2468	828	778efeeba34cb65c696d8054e2c1bd24.exe	28
PID 828 wrote to memory of 2468	828	778efeeba34cb65c696d8054e2c1bd24.exe	28
PID 828 wrote to memory of 2468	828	778efeeba34cb65c696d8054e2c1bd24.exe	28
PID 828 wrote to memory of 2468	828	778efeeba34cb65c696d8054e2c1bd24.exe	28
PID 828 wrote to memory of 2468	828	778efeeba34cb65c696d8054e2c1bd24.exe	28
PID 828 wrote to memory of 2468	828	778efeeba34cb65c696d8054e2c1bd24.exe	28
PID 2468 wrote to memory of 2708	2468	flash.exe	29
PID 2468 wrote to memory of 2708	2468	flash.exe	29
PID 2468 wrote to memory of 2708	2468	flash.exe	29
PID 2468 wrote to memory of 2708	2468	flash.exe	29
PID 2468 wrote to memory of 2708	2468	flash.exe	29
PID 2468 wrote to memory of 2708	2468	flash.exe	29
PID 2468 wrote to memory of 2708	2468	flash.exe	29
PID 2468 wrote to memory of 2708	2468	flash.exe	29
PID 2468 wrote to memory of 2708	2468	flash.exe	29
PID 2468 wrote to memory of 2708	2468	flash.exe	29
PID 2468 wrote to memory of 2708	2468	flash.exe	29
PID 2468 wrote to memory of 2708	2468	flash.exe	29
PID 2468 wrote to memory of 2708	2468	flash.exe	29
PID 2708 wrote to memory of 764	2708	flash.exe	30
PID 2708 wrote to memory of 764	2708	flash.exe	30
PID 2708 wrote to memory of 764	2708	flash.exe	30
PID 2708 wrote to memory of 764	2708	flash.exe	30
PID 2708 wrote to memory of 764	2708	flash.exe	30
PID 2708 wrote to memory of 764	2708	flash.exe	30
PID 2708 wrote to memory of 764	2708	flash.exe	30

C:\Users\Admin\AppData\Local\Temp\778efeeba34cb65c696d8054e2c1bd24.exe
"C:\Users\Admin\AppData\Local\Temp\778efeeba34cb65c696d8054e2c1bd24.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:828
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\flash.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\flash.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\flash.exe
    C:\Users\Admin\AppData\Local\Temp\RarSFX0\flash.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 216
      4⤵
      Loads dropped DLL
      Program crash
      PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\RarSFX0\flash.exe

Filesize
118KB

MD5
4cda2afba43485f8f4eca4c6938815a2

SHA1
ee0fa02a0f2523703967d15de59bbe872f2b50df

SHA256
ba127bc5d12de76189ed20ee8c2c212236ab6229717814723253889930baa225

SHA512
a2d6966b79a9215e32670d43e0cf3159f67635028df4a57a1fee4e65b163c05bc6a4f4c37408a42dfa9947c393b49114d14afc843a2acf39340cb3d88224c2a6

Download Submit
memory/2468-11-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/2468-12-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/2468-10-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2468-13-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/2468-14-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/2468-15-0x0000000000290000-0x00000000002A0000-memory.dmp

Filesize
64KB

Download
memory/2468-16-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/2468-17-0x00000000002C0000-0x00000000002D0000-memory.dmp

Filesize
64KB

Download
memory/2468-18-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download
memory/2468-19-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/2468-20-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2468-21-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/2468-22-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/2468-23-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/2468-24-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/2468-25-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/2468-26-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/2468-27-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/2468-28-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2468-29-0x0000000000410000-0x0000000000420000-memory.dmp

Filesize
64KB

Download
memory/2468-30-0x0000000000420000-0x0000000000430000-memory.dmp

Filesize
64KB

Download
memory/2468-31-0x0000000000420000-0x0000000000430000-memory.dmp

Filesize
64KB

Download
memory/2708-35-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2708-38-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2708-40-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download