9e81938257f26e816c07296be5bcb56493e1d9c03d783b7bdb8a08bfc402066f

Analysis

max time kernel
139s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8bd06da4addeca3f0242da79752513ed.exe
Size

797KB
MD5

8bd06da4addeca3f0242da79752513ed
SHA1

24777f96de691f548f4b685d5b645cbe95d51c37
SHA256

9e81938257f26e816c07296be5bcb56493e1d9c03d783b7bdb8a08bfc402066f
SHA512

69b3f5699dfe2427294361a11467fff00071f1fa13a1a22d68217b86efa4a94cb28d35a6d5793cd6048748670114cb629fa0844b529123cc5bd6a821c0bd4367
SSDEEP

24576:fWwQMN2K3yWds0JkKyVANF6kPx9wR/UQmcv+7wVD:fWlhadsLGfD3aewZ

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4160	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4432 set thread context of 416	4432	8bd06da4addeca3f0242da79752513ed.exe	83
PID 416 set thread context of 4160	416	8bd06da4addeca3f0242da79752513ed.exe	84
PID 416 set thread context of 3688	416	8bd06da4addeca3f0242da79752513ed.exe	85

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1964	3688	WerFault.exe	85

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4432	8bd06da4addeca3f0242da79752513ed.exe
4432	8bd06da4addeca3f0242da79752513ed.exe
416	8bd06da4addeca3f0242da79752513ed.exe
4160	svchost.exe
4160	svchost.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 416	4432	8bd06da4addeca3f0242da79752513ed.exe	83
PID 4432 wrote to memory of 416	4432	8bd06da4addeca3f0242da79752513ed.exe	83
PID 4432 wrote to memory of 416	4432	8bd06da4addeca3f0242da79752513ed.exe	83
PID 4432 wrote to memory of 416	4432	8bd06da4addeca3f0242da79752513ed.exe	83
PID 4432 wrote to memory of 416	4432	8bd06da4addeca3f0242da79752513ed.exe	83
PID 4432 wrote to memory of 416	4432	8bd06da4addeca3f0242da79752513ed.exe	83
PID 4432 wrote to memory of 416	4432	8bd06da4addeca3f0242da79752513ed.exe	83
PID 4432 wrote to memory of 416	4432	8bd06da4addeca3f0242da79752513ed.exe	83
PID 416 wrote to memory of 4160	416	8bd06da4addeca3f0242da79752513ed.exe	84
PID 416 wrote to memory of 4160	416	8bd06da4addeca3f0242da79752513ed.exe	84
PID 416 wrote to memory of 4160	416	8bd06da4addeca3f0242da79752513ed.exe	84
PID 416 wrote to memory of 4160	416	8bd06da4addeca3f0242da79752513ed.exe	84
PID 416 wrote to memory of 4160	416	8bd06da4addeca3f0242da79752513ed.exe	84
PID 416 wrote to memory of 4160	416	8bd06da4addeca3f0242da79752513ed.exe	84
PID 416 wrote to memory of 4160	416	8bd06da4addeca3f0242da79752513ed.exe	84
PID 416 wrote to memory of 4160	416	8bd06da4addeca3f0242da79752513ed.exe	84
PID 416 wrote to memory of 4160	416	8bd06da4addeca3f0242da79752513ed.exe	84
PID 416 wrote to memory of 4160	416	8bd06da4addeca3f0242da79752513ed.exe	84
PID 416 wrote to memory of 4160	416	8bd06da4addeca3f0242da79752513ed.exe	84
PID 416 wrote to memory of 4160	416	8bd06da4addeca3f0242da79752513ed.exe	84
PID 416 wrote to memory of 3688	416	8bd06da4addeca3f0242da79752513ed.exe	85
PID 416 wrote to memory of 3688	416	8bd06da4addeca3f0242da79752513ed.exe	85
PID 416 wrote to memory of 3688	416	8bd06da4addeca3f0242da79752513ed.exe	85
PID 416 wrote to memory of 3688	416	8bd06da4addeca3f0242da79752513ed.exe	85
PID 416 wrote to memory of 3688	416	8bd06da4addeca3f0242da79752513ed.exe	85
PID 416 wrote to memory of 3688	416	8bd06da4addeca3f0242da79752513ed.exe	85
PID 416 wrote to memory of 3688	416	8bd06da4addeca3f0242da79752513ed.exe	85
PID 416 wrote to memory of 3688	416	8bd06da4addeca3f0242da79752513ed.exe	85
PID 416 wrote to memory of 3688	416	8bd06da4addeca3f0242da79752513ed.exe	85

C:\Users\Admin\AppData\Local\Temp\8bd06da4addeca3f0242da79752513ed.exe
"C:\Users\Admin\AppData\Local\Temp\8bd06da4addeca3f0242da79752513ed.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Users\Admin\AppData\Local\Temp\8bd06da4addeca3f0242da79752513ed.exe
  C:\Users\Admin\AppData\Local\Temp\8bd06da4addeca3f0242da79752513ed.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:416
- - \??\c:\windows\SysWOW64\svchost.exe
    c:\windows\system32\svchost.exe
    3⤵
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:4160
- - C:\Users\Admin\AppData\Local\Temp\8bd06da4addeca3f0242da79752513ed.exe
    C:\Users\Admin\AppData\Local\Temp\8bd06da4addeca3f0242da79752513ed.exe
    3⤵
    PID:3688
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 528
      4⤵
      Program crash
      PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3688 -ip 3688
1⤵
PID:4092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\users\admin\appdata\local\temp\289B9A8F

Filesize
14B

MD5
b3a310c2b28ab5b48a1722813d339539

SHA1
ca521417fa24b6eb9bb095961f016e8282f91d3c

SHA256
24072befa6661bbd960e300c9551b5a362acb7fd1ee1b3836ae8c83acc062380

SHA512
5928a20e7f8afb8f34240d7bb579502bffea4773be6187758a02dc7ce1cab678bf075206ca5e19c914d70974ad271da1e5863b2c98c11591597dafcbfbb5ae83

Download Submit
memory/416-18-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/416-6-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/416-10-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/416-4-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3688-29-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3688-28-0x00000000004C0000-0x00000000004D5000-memory.dmp

Filesize
84KB

Download
memory/3688-17-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3688-14-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4160-13-0x0000000000400000-0x00000000007A9000-memory.dmp

Filesize
3.7MB

Download
memory/4160-15-0x0000000000400000-0x00000000007A9000-memory.dmp

Filesize
3.7MB

Download
memory/4160-21-0x0000000000400000-0x00000000007A9000-memory.dmp

Filesize
3.7MB

Download
memory/4160-23-0x0000000000400000-0x00000000007A9000-memory.dmp

Filesize
3.7MB

Download
memory/4160-24-0x0000000000400000-0x00000000007A9000-memory.dmp

Filesize
3.7MB

Download
memory/4160-11-0x0000000000400000-0x00000000007A9000-memory.dmp

Filesize
3.7MB

Download
memory/4160-30-0x0000000000400000-0x00000000007A9000-memory.dmp

Filesize
3.7MB

Download
memory/4432-0-0x0000000000400000-0x00000000007A9000-memory.dmp

Filesize
3.7MB

Download
memory/4432-9-0x0000000000400000-0x00000000007A9000-memory.dmp

Filesize
3.7MB

Download