a29c36e4ef2706eee517c136a45f4d5ba7253406e559d6ccb25821b4cfb730d4

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 11:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b89b75a04408c403fa757a4a40292d9a.exe
Size

48KB
MD5

b89b75a04408c403fa757a4a40292d9a
SHA1

de757b6fe3363900e53a44cc743b7cda32d0005f
SHA256

a29c36e4ef2706eee517c136a45f4d5ba7253406e559d6ccb25821b4cfb730d4
SHA512

a1a7ea81a68fd6816af713fd1e2146a735aa0c86c4bd608b27ce19ae46f7e06011fe09f65a3d1af19ddddea198dfc1a71aba728c9400ac339706b83c71d897ac
SSDEEP

768:72sLfb9B+Xj7EDliIdwim/gcVtZN3QJIX0jJaOmZVyF7j3bX8LjSmMFvIh9F8ro:72yfb9ouMniU/ZoVjJarZ67X3mDbaro

Score

7^/10

persistence upx

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
4984	b89b75a04408c403fa757a4a40292d9a.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4984-1-0x00000000001C0000-0x00000000001E0000-memory.dmp	upx
behavioral2/memory/4984-11-0x00000000023D0000-0x00000000023F0000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x7 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winlog0n.exe"	b89b75a04408c403fa757a4a40292d9a.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3068	4984	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4984	b89b75a04408c403fa757a4a40292d9a.exe
4984	b89b75a04408c403fa757a4a40292d9a.exe
4984	b89b75a04408c403fa757a4a40292d9a.exe
4984	b89b75a04408c403fa757a4a40292d9a.exe
4984	b89b75a04408c403fa757a4a40292d9a.exe
4984	b89b75a04408c403fa757a4a40292d9a.exe
4984	b89b75a04408c403fa757a4a40292d9a.exe
4984	b89b75a04408c403fa757a4a40292d9a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4984	b89b75a04408c403fa757a4a40292d9a.exe

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 3452	4984	b89b75a04408c403fa757a4a40292d9a.exe	57

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3452
- C:\Users\Admin\AppData\Local\Temp\b89b75a04408c403fa757a4a40292d9a.exe
  "C:\Users\Admin\AppData\Local\Temp\b89b75a04408c403fa757a4a40292d9a.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 424
    3⤵
    - Program crash
    PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4984 -ip 4984
1⤵
PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LgSy0.dll

Filesize
26KB

MD5
4112cfa54f60e91d936e1e21c9662e03

SHA1
bddd4969c39e09c0b0527b882651d2763b7d1ac4

SHA256
e47f9720aeed19073dbc85107b7395edb2293745ee1be067f8cc13df6662ced1

SHA512
61c0e6d2190175f0d4befe06e60e07d73f8fc949a5b14b3b470368415f7b2852453c8f41c2dfac55da3228b9d515fce7fdebaa02e6d95abb2c7185554ff41149

Download Submit
memory/4984-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4984-1-0x00000000001C0000-0x00000000001E0000-memory.dmp

Filesize
128KB

Download
memory/4984-2-0x00000000022D0000-0x00000000022F0000-memory.dmp

Filesize
128KB

Download
memory/4984-10-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4984-12-0x0000000002680000-0x00000000026A0000-memory.dmp

Filesize
128KB

Download
memory/4984-11-0x00000000023D0000-0x00000000023F0000-memory.dmp

Filesize
128KB

Download
memory/4984-14-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4984-15-0x00000000022D0000-0x00000000022F0000-memory.dmp

Filesize
128KB

Download
memory/4984-16-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download