992b0539d05dc0722b79d60bf796b4ae7d8a77f54131c8466f7c407edd8ff36f

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2024, 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9acd0df7fc2345b5fb74db414e1aaede.exe
Size

300KB
MD5

9acd0df7fc2345b5fb74db414e1aaede
SHA1

1b1e7d784c601d2850b2be63aaec49c6156779bf
SHA256

992b0539d05dc0722b79d60bf796b4ae7d8a77f54131c8466f7c407edd8ff36f
SHA512

98f8edd7c58be6d00f0da27caa108f5b743e9714d40ea5be25feea379ef0e625e80347fb5422e67df46f7e32bb4c629ad2b232fde9a1f4f57f24a35aaebfbd01
SSDEEP

6144:Q1db49+rEg024fpLZazEjvE/rbay19tSt4bO2BaDmeBJe59kISK:QjkArEN249AyE/rbaMct4bO2/VCK

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
564	server2.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5112-0-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral2/memory/5112-9-0x0000000000400000-0x00000000004C1000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/5112-9-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
884	564	WerFault.exe	84

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 564	5112	9acd0df7fc2345b5fb74db414e1aaede.exe	84
PID 5112 wrote to memory of 564	5112	9acd0df7fc2345b5fb74db414e1aaede.exe	84
PID 5112 wrote to memory of 564	5112	9acd0df7fc2345b5fb74db414e1aaede.exe	84

C:\Users\Admin\AppData\Local\Temp\9acd0df7fc2345b5fb74db414e1aaede.exe
"C:\Users\Admin\AppData\Local\Temp\9acd0df7fc2345b5fb74db414e1aaede.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5112
- C:\server2.exe
  C:\server2.exe
  2⤵
  - Executes dropped EXE
  PID:564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 488
    3⤵
    - Program crash
    PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 564 -ip 564
1⤵
PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\server2.exe

Filesize
10KB

MD5
5eadeaa2872307acd9c66c39a9ea9c13

SHA1
365a9ffa623d7f26dd7971eac1ae85cecc4fd629

SHA256
73f5da2bce8f817cc0e95a3cb8b351778c1adc25ab13fc698e1ff47dd3f56adb

SHA512
b5f4b4cda1d8cbeab925c36f687f9873b67735ba2e227f47565a031cfec6a9cfa907e62470fafcbd1fd20f9d9bb0203a8530265585db2a75ca171fbb1ded6a95

Download Submit
memory/5112-0-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/5112-9-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download