9e18a89c79fba1921f5de97ed8063d76b8af32c54e5cf2b688f1149d4a227dc5

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-03-2024 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8604162466154d6f90d7df94111e20a.exe
Size

1003KB
MD5

b8604162466154d6f90d7df94111e20a
SHA1

5f979878bddec4e103ebaa75713bd097d13ce4e7
SHA256

9e18a89c79fba1921f5de97ed8063d76b8af32c54e5cf2b688f1149d4a227dc5
SHA512

98aa1fe28392f171cdfee660c30414d8bfaf083cd22d43a1454dc39f2c00e150e1aaa72496729d666abbcaa296980e55eb0b9431bde63927a73e6ece2c4bc5d3
SSDEEP

24576:JLSP60v/4yHtDPDJZ6VknyN2aPHrSVp7HT6O9:xY60v/4yHtDPDJZowyN2aTSVpT+O9

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4876	b8604162466154d6f90d7df94111e20a.exe

Executes dropped EXE 1 IoCs

pid	Process
4876	b8604162466154d6f90d7df94111e20a.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2180-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/files/0x0007000000023201-12.dat	upx
behavioral2/memory/4876-14-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
28	pastebin.com

Program crash 13 IoCs

pid	pid_target	Process	procid_target
3832	4876	WerFault.exe	88
3920	4876	WerFault.exe	88
1020	4876	WerFault.exe	88
3080	4876	WerFault.exe	88
1348	4876	WerFault.exe	88
5004	4876	WerFault.exe	88
2956	4876	WerFault.exe	88
2328	4876	WerFault.exe	88
4884	4876	WerFault.exe	88
4840	4876	WerFault.exe	88
5016	4876	WerFault.exe	88
3952	4876	WerFault.exe	88
3144	4876	WerFault.exe	88

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4956	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2180	b8604162466154d6f90d7df94111e20a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2180	b8604162466154d6f90d7df94111e20a.exe
4876	b8604162466154d6f90d7df94111e20a.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 4876	2180	b8604162466154d6f90d7df94111e20a.exe	88
PID 2180 wrote to memory of 4876	2180	b8604162466154d6f90d7df94111e20a.exe	88
PID 2180 wrote to memory of 4876	2180	b8604162466154d6f90d7df94111e20a.exe	88
PID 4876 wrote to memory of 4956	4876	b8604162466154d6f90d7df94111e20a.exe	92
PID 4876 wrote to memory of 4956	4876	b8604162466154d6f90d7df94111e20a.exe	92
PID 4876 wrote to memory of 4956	4876	b8604162466154d6f90d7df94111e20a.exe	92
PID 4876 wrote to memory of 3976	4876	b8604162466154d6f90d7df94111e20a.exe	94
PID 4876 wrote to memory of 3976	4876	b8604162466154d6f90d7df94111e20a.exe	94
PID 4876 wrote to memory of 3976	4876	b8604162466154d6f90d7df94111e20a.exe	94
PID 3976 wrote to memory of 2164	3976	cmd.exe	96
PID 3976 wrote to memory of 2164	3976	cmd.exe	96
PID 3976 wrote to memory of 2164	3976	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\b8604162466154d6f90d7df94111e20a.exe
"C:\Users\Admin\AppData\Local\Temp\b8604162466154d6f90d7df94111e20a.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\b8604162466154d6f90d7df94111e20a.exe
  C:\Users\Admin\AppData\Local\Temp\b8604162466154d6f90d7df94111e20a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\b8604162466154d6f90d7df94111e20a.exe" /TN DQCzT8QTc52d /F
    3⤵
    - Creates scheduled task(s)
    PID:4956
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN DQCzT8QTc52d > C:\Users\Admin\AppData\Local\Temp\juyaNIOj.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN DQCzT8QTc52d
      4⤵
      PID:2164
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 616
    3⤵
    - Program crash
    PID:3832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 608
    3⤵
    - Program crash
    PID:3920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 724
    3⤵
    - Program crash
    PID:1020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 632
    3⤵
    - Program crash
    PID:3080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 632
    3⤵
    - Program crash
    PID:1348
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 780
    3⤵
    - Program crash
    PID:5004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1472
    3⤵
    - Program crash
    PID:2956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1924
    3⤵
    - Program crash
    PID:2328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 2144
    3⤵
    - Program crash
    PID:4884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 2132
    3⤵
    - Program crash
    PID:4840
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 2148
    3⤵
    - Program crash
    PID:5016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1936
    3⤵
    - Program crash
    PID:3952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 720
    3⤵
    - Program crash
    PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4876 -ip 4876
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4876 -ip 4876
1⤵
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4876 -ip 4876
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4876 -ip 4876
1⤵
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4876 -ip 4876
1⤵
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4876 -ip 4876
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4876 -ip 4876
1⤵
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4876 -ip 4876
1⤵
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4876 -ip 4876
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4876 -ip 4876
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4876 -ip 4876
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4876 -ip 4876
1⤵
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4876 -ip 4876
1⤵
PID:3356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b8604162466154d6f90d7df94111e20a.exe

Filesize
1003KB

MD5
ec3f4859d7dbcf1fe366c5132626cc4c

SHA1
5a4bd1b6773ebc78b808b0f5a86406cec765f18d

SHA256
c35c9532614ccabe820769bffb376b4f3933f4845dd02fc277b95a1242b92224

SHA512
23fa50fe9187623eb72867d1e6fec0682445079e347a41048f22cb41337ecd2a54d68ac1bba341562b93e1e6aeff89636f29a896656e343c157c0035873b4edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\juyaNIOj.xml

Filesize
1KB

MD5
4cbdf05cc80f73e26d1b191ea1136fb8

SHA1
d340c5a0b037668276de8e9a84eb385c9692b70c

SHA256
b72fdd6c74d73658a55d86dd3574133c1bda05b8b11ed41e85b35717e473389d

SHA512
0891083db9f1cb45506daf004ad34c5ad44079a64b3254dd201940c48a7f79a532b8cfc75af77ac259b7da584c9773d7e14fb2fbe5dbed094a5b68b0b351049e

Download Submit
memory/2180-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2180-2-0x0000000025030000-0x00000000250AE000-memory.dmp

Filesize
504KB

Download
memory/2180-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2180-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4876-14-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/4876-16-0x0000000001730000-0x00000000017AE000-memory.dmp

Filesize
504KB

Download
memory/4876-23-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/4876-22-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4876-32-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads