5aa317d3682ff127e1e92d2016c08f94be60937a1b8a210876d931d072386336

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-02-2024 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Job Interview/Interview.exe
Size

582KB
MD5

ce1054d542dbd999401236f2ce20f826
SHA1

df07ed235ee93f44f4f0e4dd73f0e8af068a7791
SHA256

81716b54cb34ef6d6938c042e30c847742dcffeb8ed4e67268387fed040b9315
SHA512

efe21b9393084e098b9e3baafcd7467e25d764b70a8f34d071de9c4f3e8f1ead3974c9fe3d98152eb16dbd17e7f6bed985939d6b305441cec4ac548284c9716b
SSDEEP

12288:x1ziebuYdvx24mGeamdda+W2JyaslYC1JL9PcSCfB:x1mohzmHamuCJyasaCVP6fB

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2140	FileCoAuth.exe

Loads dropped DLL 14 IoCs

pid	Process
1244	Interview.exe
1244	Interview.exe
1244	Interview.exe
1244	Interview.exe
2140	FileCoAuth.exe
2140	FileCoAuth.exe
2140	FileCoAuth.exe
2140	FileCoAuth.exe
2140	FileCoAuth.exe
2668	WerFault.exe
2668	WerFault.exe
2668	WerFault.exe
2668	WerFault.exe
2668	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveCoUpdate = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\cache\\logger\\FileCoAuth.exe"	Interview.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2668	2140	WerFault.exe	28

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2140	1244	Interview.exe	28
PID 1244 wrote to memory of 2140	1244	Interview.exe	28
PID 1244 wrote to memory of 2140	1244	Interview.exe	28
PID 1244 wrote to memory of 2140	1244	Interview.exe	28
PID 2140 wrote to memory of 2668	2140	FileCoAuth.exe	29
PID 2140 wrote to memory of 2668	2140	FileCoAuth.exe	29
PID 2140 wrote to memory of 2668	2140	FileCoAuth.exe	29
PID 2140 wrote to memory of 2668	2140	FileCoAuth.exe	29

C:\Users\Admin\AppData\Local\Temp\Job Interview\Interview.exe
"C:\Users\Admin\AppData\Local\Temp\Job Interview\Interview.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\cache\logger\FileCoAuth.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\cache\logger\FileCoAuth.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\cache\logger\LoggingPlatform.DLL

Filesize
450KB

MD5
b54858b7357303dbd5582ea44abeeab8

SHA1
f3ba1d65f855d61dce13efbc42ce60ca8548a49c

SHA256
cc912e37802cd5c128c19949d4529e7d48266d67dd7b6dfedfd9c493d94cbe64

SHA512
b364ee1019e215c10030834cca4ca6436568e6ef25d2bee877b908bbf68f7c004559ff5317275b17c2f221c0daedbf50e11ec1bfe29c96cb61389cba75bb2295

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\cache\logger\MSVCP140.dll

Filesize
438KB

MD5
a1b3963e1766c5266d94b171a4595cee

SHA1
9283a813774f2e310997ba08bca9ec96282a85d1

SHA256
0f5aeae55bf6d7b37e5582ec60bbdb93bf24adf648f9fa342cdba1b0a754e403

SHA512
ef0a3cb33902eb0dd3d80b688f5e23b4192ebafb131b30c56f27221412daf72b40c3e17670ec1ca8209775369f93bf66a3a75ae5acff45e629e732464d3972b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\cache\logger\Secur32.dll

Filesize
147KB

MD5
05fcace605b525f1bece1813bb18a56c

SHA1
a3218432f34aaeabe253d07efab27bb7fff2061c

SHA256
720afa3e1216a9eb68b66858d50de0326f52afa279ef9ee0521aee98b312382f

SHA512
bcce1ea35ec0422895d7ed1ca9139ab7f695b101c2667e596dfb8d5488f695a9171df674ab2e9c8dd66f4b620fd1853caf8f4f3123acaf81a1a714b583bb009d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\cache\logger\UpdateRingSettings.dll

Filesize
377KB

MD5
9f950504d5ea22c6f1ee20f7c2ed3b7b

SHA1
5090de783322847e6395567e7449fc4200b054a5

SHA256
37253093d3c8ed1d56b3a50f31f8944888ff38b714097637c5372a0ad19c337b

SHA512
ae80c7778304140d4476d42f6ef4439c61c2ec4ff42958007b93418a53908fb516544c57e1db99b7a6d79ae501f49c46f6636d8f967b033e744feb33879e0734

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\cache\logger\VCRUNTIME140.dll

Filesize
77KB

MD5
f686e2331a83d20798cfc2734729e531

SHA1
c7e6398f5a735039baabf22712c5a8aee5a945e1

SHA256
535f74f446a1b7b53da24a742d02369cbcc609003a6b4a8175491aa71c5481b4

SHA512
30ea339ec845dbc9aa7b323ed25e516cb04f3e17789cd28f54646c82395f0b42eb4a5d4d4aa06c4d39b9602c37590b31ca5c0bfa22a514a73ec45e39c0d8e31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\telemetry-dll-ramp-value.txt

Filesize
10B

MD5
9dce95ff107bc042fd5779428639ee61

SHA1
f11fa1b440d6fdd103d4332aad93fc6e72662309

SHA256
76ac2a4c5c88e8778320680074cb6bae74517e663cb744ff82d2a7d164a73b86

SHA512
c28f6bb241168cba3a9a8b4b6a5a97a35af087d167835677d4b1bca2efdc290226888df923f9148f8c69b4fb592a7b39f369d8f3d3a7d0afb11519c023e1097b

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\cache\logger\FileCoAuth.exe

Filesize
582KB

MD5
ce1054d542dbd999401236f2ce20f826

SHA1
df07ed235ee93f44f4f0e4dd73f0e8af068a7791

SHA256
81716b54cb34ef6d6938c042e30c847742dcffeb8ed4e67268387fed040b9315

SHA512
efe21b9393084e098b9e3baafcd7467e25d764b70a8f34d071de9c4f3e8f1ead3974c9fe3d98152eb16dbd17e7f6bed985939d6b305441cec4ac548284c9716b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads