Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-03-2024 16:53
Behavioral task
behavioral1
Sample
b52f869be871e4819f00ec98d28ef348.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
b52f869be871e4819f00ec98d28ef348.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
b52f869be871e4819f00ec98d28ef348.exe
-
Size
4KB
-
MD5
b52f869be871e4819f00ec98d28ef348
-
SHA1
8b8429064a0f56cef99ba898b09f4dd3116f7038
-
SHA256
935b44ce59cdfdcb4a75cd3465c8081379b78a6eb6d7c6ae11150f9b69ece738
-
SHA512
ac00876ba743dcdab9ab49f051fcc26b9963863b87950012be301ebfeb23f5ffad3d71ff69362e7e3782376fc66821d59705835de351dadf65e308a48dfa77be
-
SSDEEP
48:i+VlBCm2H+Jcv1LTTgndQYE3ZtkB0tu9RmspgDg0Hw5YSecJeY8JqJklT8iuhoB+:HL8Ne+1oSG0g9ppgDg0QfSlT8iuu4
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3412-0-0x0000000000400000-0x0000000000406000-memory.dmp upx behavioral2/memory/3412-3-0x0000000000400000-0x0000000000406000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winsock startup = "runddl32.exe" b52f869be871e4819f00ec98d28ef348.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\program files\edonkey2000\incoming\sdbot with NetBIOS Spread.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\limewire\shared\NetBIOS Cracker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\tesla\files\Brutus FTP Cracker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\tesla\files\AOL Instant Messenger (AIM) Hacker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\tesla\files\Website Hacker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\bearshare\shared\Norton Anti-Virus 2005 Enterprise Crack.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\bearshare\shared\Windows Password Cracker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\edonkey2000\incoming\Windows 2003 Advanced Server KeyGen.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\edonkey2000\incoming\Half-Life 2 Downloader.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\edonkey2000\incoming\Windows Password Cracker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\emule\incoming\DCOM Exploit.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\emule\incoming\Microsoft Visual Studio KeyGen.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\morpheus\my shared folder\IP Nuker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\kazaa\my shared folder\Half-Life 2 Downloader.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\kazaa lite k++\my shared folder\Password Cracker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\edonkey2000\incoming\Website Hacker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\winmx\shared\Windows Password Cracker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\kazaa lite k++\my shared folder\IP Nuker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\edonkey2000\incoming\DCOM Exploit.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\grokster\my grokster\sdbot with NetBIOS Spread.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\bearshare\shared\sdbot with NetBIOS Spread.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\emule\incoming\Keylogger.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\tesla\files\ICQ Hacker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\kazaa\my shared folder\MSN Password Cracker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\kazaa lite\my shared folder\Norton Anti-Virus 2005 Enterprise Crack.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\kazaa lite\my shared folder\Website Hacker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\tesla\files\Microsoft Visual Studio KeyGen.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\limewire\shared\L0pht 4.0 Windows Password Cracker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\tesla\files\L0pht 4.0 Windows Password Cracker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\edonkey2000\incoming\IP Nuker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\limewire\shared\NetBIOS Hacker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\kazaa lite k++\my shared folder\Hotmail Hacker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\kazaa lite k++\my shared folder\Website Hacker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\icq\shared folder\Windows Password Cracker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\grokster\my grokster\Microsoft Visual Basic KeyGen.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\bearshare\shared\Sub7 2.3 Private.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\limewire\shared\Sub7 2.3 Private.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\kazaa lite\my shared folder\DCOM Exploit.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\kazaa lite\my shared folder\Counter-Strike KeyGen.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\winmx\shared\NetBIOS Hacker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\tesla\files\NetBIOS Cracker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\winmx\shared\Norton Anti-Virus 2005 Enterprise Crack.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\kazaa lite k++\my shared folder\Microsoft Visual Basic KeyGen.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\icq\shared folder\Half-Life 2 Downloader.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\icq\shared folder\ICQ Hacker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\morpheus\my shared folder\UT 2003 KeyGen.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\kazaa\my shared folder\NetBIOS Hacker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\kazaa lite\my shared folder\L0pht 4.0 Windows Password Cracker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\kazaa lite\my shared folder\IP Nuker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\grokster\my grokster\Password Cracker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\grokster\my grokster\Keylogger.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\bearshare\shared\Windows 2003 Advanced Server KeyGen.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\bearshare\shared\L0pht 4.0 Windows Password Cracker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\edonkey2000\incoming\Keylogger.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\kazaa\my shared folder\FTP Cracker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\kazaa lite\my shared folder\Hotmail Hacker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\icq\shared folder\AOL Password Cracker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\bearshare\shared\Hotmail Hacker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\tesla\files\MSN Password Cracker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\tesla\files\IP Nuker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\winmx\shared\AOL Password Cracker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\kazaa\my shared folder\L0pht 4.0 Windows Password Cracker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\icq\shared folder\Hotmail Cracker.exe b52f869be871e4819f00ec98d28ef348.exe File created C:\program files\morpheus\my shared folder\Norton Anti-Virus 2005 Enterprise Crack.exe b52f869be871e4819f00ec98d28ef348.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\runddl32.exe b52f869be871e4819f00ec98d28ef348.exe File opened for modification C:\Windows\runddl32.exe b52f869be871e4819f00ec98d28ef348.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2224 3412 WerFault.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\b52f869be871e4819f00ec98d28ef348.exe"C:\Users\Admin\AppData\Local\Temp\b52f869be871e4819f00ec98d28ef348.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3412 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 3482⤵
- Program crash
PID:2224
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3412 -ip 34121⤵PID:4532
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3712 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:81⤵PID:3512