Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
07-02-2024 19:32
Static task
static1
Behavioral task
behavioral1
Sample
337e300721c80ee6c114cc38b2ed786a.exe
Resource
win7-20231215-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
337e300721c80ee6c114cc38b2ed786a.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
337e300721c80ee6c114cc38b2ed786a.exe
-
Size
1.8MB
-
MD5
337e300721c80ee6c114cc38b2ed786a
-
SHA1
c6403b50de536acd4b7b90a4173ebe86bb86a001
-
SHA256
500670f00b1e99426a3f5a49634475b69e3bca76442f7ad6db3b082fd094aecb
-
SHA512
bdec678edfcdd29d0c8fb585cedd628ee6629410e79cfae3f8747066f9264c2f4ad92a35a31df4a48ab8e4682b47aca49fbff3ce22c9e80f6ccad5796f6530b4
-
SSDEEP
24576:DTEk3Xn9SWNNjE6zdAiYVs6hkBWa514UeWgzSULrGlK3Tacr+bZ47x:3nN4AAU6AoPQULrGlK3TcZ47
Score
7/10
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reun.exe DllHost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reun.exe DllHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5004 4564 WerFault.exe 82 -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe 4564 337e300721c80ee6c114cc38b2ed786a.exe -
Suspicious use of WriteProcessMemory 1 IoCs
description pid Process procid_target PID 4564 wrote to memory of 3512 4564 337e300721c80ee6c114cc38b2ed786a.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\337e300721c80ee6c114cc38b2ed786a.exe"C:\Users\Admin\AppData\Local\Temp\337e300721c80ee6c114cc38b2ed786a.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 10923⤵
- Program crash
PID:5004
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}1⤵
- Drops startup file
PID:1412
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4564 -ip 45641⤵PID:1232