a5552237bf0ede9675b646aea11141c7763ed882fc8dbfe1b036f6347fe98ad3

Analysis

max time kernel
94s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26/02/2024, 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5552237bf0ede9675b646aea11141c7763ed882fc8dbfe1b036f6347fe98ad3.exe
Size

495KB
MD5

b48f191956b17605899eec0ae1ae255e
SHA1

3596126e49ff1ca312b8a2c036976d6f44a5cdbf
SHA256

a5552237bf0ede9675b646aea11141c7763ed882fc8dbfe1b036f6347fe98ad3
SHA512

a686323d7d2c6ef0858f2b7cfc20de8d49a2dda723dfd8b50d84677d9a29dc3b52046c2e4b964445d594f6a358abe11a7e89e95a63e4e33f9e7fcba27c6f3cf8
SSDEEP

6144:IGiZdPcmSA8PTFZ95of0ZcG6g/TQ6nLnxXx0ME/vG0o+srNodb0FA+/yYNqnTU:gdPcmSAQhZ95E0X9xhUm0+N12+/yYKU

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1768	ovxufjxjbx.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hqduamc = "C:\\Users\\Admin\\AppData\\Roaming\\tjxruxolpube\\sjdyafkdcai.exe"	ovxufjxjbx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2256	1768	WerFault.exe	85

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 1768	2244	a5552237bf0ede9675b646aea11141c7763ed882fc8dbfe1b036f6347fe98ad3.exe	85
PID 2244 wrote to memory of 1768	2244	a5552237bf0ede9675b646aea11141c7763ed882fc8dbfe1b036f6347fe98ad3.exe	85
PID 2244 wrote to memory of 1768	2244	a5552237bf0ede9675b646aea11141c7763ed882fc8dbfe1b036f6347fe98ad3.exe	85
PID 1768 wrote to memory of 560	1768	ovxufjxjbx.exe	86
PID 1768 wrote to memory of 560	1768	ovxufjxjbx.exe	86
PID 1768 wrote to memory of 560	1768	ovxufjxjbx.exe	86

C:\Users\Admin\AppData\Local\Temp\a5552237bf0ede9675b646aea11141c7763ed882fc8dbfe1b036f6347fe98ad3.exe
"C:\Users\Admin\AppData\Local\Temp\a5552237bf0ede9675b646aea11141c7763ed882fc8dbfe1b036f6347fe98ad3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Temp\ovxufjxjbx.exe
  C:\Users\Admin\AppData\Local\Temp\ovxufjxjbx.exe C:\Users\Admin\AppData\Local\Temp\npyoqck
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Users\Admin\AppData\Local\Temp\ovxufjxjbx.exe
    C:\Users\Admin\AppData\Local\Temp\ovxufjxjbx.exe C:\Users\Admin\AppData\Local\Temp\npyoqck
    3⤵
    PID:560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 696
    3⤵
    - Program crash
    PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1768 -ip 1768
1⤵
PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c189f3vigcx5c

Filesize
226KB

MD5
158d338032bd7905cf9d350c7a3eb35f

SHA1
065e9a8e3eccd27d2193fbfe1c1e72938f244ec2

SHA256
9c2b676978c47690e2ec5a21da140d72a920a150d345c82f3f8a6fa689509850

SHA512
85daaf9b652b498ebecd50a144b1917fd34d19653cb4cd8180ca1337c48eb929c3dfbd37cb5bdb499d36b3acb1d0e1ea514ca51036224624c06a69e8e069db07

Download Submit
C:\Users\Admin\AppData\Local\Temp\npyoqck

Filesize
7KB

MD5
cc6e7e124ec5f142edf2d9f7d40cb557

SHA1
a610ce00dc0ed76af1c272231c4a1a7604a844fc

SHA256
f0919abe1364d0ae123dd21df94ec9bbef947293a20e4b6c85e266f19ff20567

SHA512
4bca46ef0102deb09eaba8a62f1382b49be44f7da05024c1ddb4c9f7f79d0365aea72d0435574f9261ffd639a04d14a276a5e604e23fe8e251dcdafee78506e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovxufjxjbx.exe

Filesize
167KB

MD5
b71cd76dee505d8c2e7da40d137a333c

SHA1
29db72bb8d7b46d9f960d8e2b910b757692e2e42

SHA256
3058527607e7cba0c4c1e5c5195b1db11898dae1fedd39c45255871da0c2a6ff

SHA512
b041e5724fa55539e0eeaa56f5bb6f754ab307fe11a9f1aec394644cf3db8a51d5356b4e0c75feb217a4c7ff603ff319c6a5cffc1b1f70d735504ae5e1a25fc4

Download Submit
memory/1768-8-0x00000000009F0000-0x00000000009F2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads