4c6464e472c0b92872637dfa5e52cc85c0085bafb103cd924199c9fcc49e54ad

Analysis

max time kernel
127s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09-03-2024 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcb8d7a53953e95be674eed01818bbf6.exe
Size

695KB
MD5

bcb8d7a53953e95be674eed01818bbf6
SHA1

f58c16e1809a4f6cf42e655f52f3c062afb43869
SHA256

4c6464e472c0b92872637dfa5e52cc85c0085bafb103cd924199c9fcc49e54ad
SHA512

3ad305ed7a09bd4a163a48b7142b3d865d62858e0141580c0ca739397e281bd8aa25c40f508d7c01c21dd941f3cf60a183c337561b1c7e4b0e110b96a8b6cf5c
SSDEEP

12288:UsfLEtC11+Ijp3p2/534mWRe9Opi4/n1ZCWXzF3Z4mxxp7Hl8xGhGqupSIu:H5TpeVWAlGrXQmXp7l8EIu

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1292	windwos.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\windwos.exe	bcb8d7a53953e95be674eed01818bbf6.exe
File opened for modification	C:\Windows\windwos.exe	bcb8d7a53953e95be674eed01818bbf6.exe
File created	C:\Windows\uninstal.bat	bcb8d7a53953e95be674eed01818bbf6.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4680	4088	WerFault.exe	83
4600	1292	WerFault.exe	87

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	windwos.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	windwos.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	windwos.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	windwos.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	windwos.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4088	bcb8d7a53953e95be674eed01818bbf6.exe
Token: SeDebugPrivilege	1292	windwos.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1292	windwos.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 1572	1292	windwos.exe	90
PID 1292 wrote to memory of 1572	1292	windwos.exe	90
PID 4088 wrote to memory of 4784	4088	bcb8d7a53953e95be674eed01818bbf6.exe	91
PID 4088 wrote to memory of 4784	4088	bcb8d7a53953e95be674eed01818bbf6.exe	91
PID 4088 wrote to memory of 4784	4088	bcb8d7a53953e95be674eed01818bbf6.exe	91

C:\Users\Admin\AppData\Local\Temp\bcb8d7a53953e95be674eed01818bbf6.exe
"C:\Users\Admin\AppData\Local\Temp\bcb8d7a53953e95be674eed01818bbf6.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 332
  2⤵
  - Program crash
  PID:4680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4088 -ip 4088
1⤵
PID:4068

C:\Windows\windwos.exe
C:\Windows\windwos.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 320
  2⤵
  - Program crash
  PID:4600
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1292 -ip 1292
1⤵
PID:1772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\uninstal.bat

Filesize
190B

MD5
ab83ea631b923ac15c1e165c931bb4d0

SHA1
3df5372540c083e82191cc83e59677a1c9256264

SHA256
2f5860ac9eff7a3d5fc765d9db5c158b750d42bcfac9c05bb516657bfcb122e7

SHA512
559e3535f55321e775a30e61678e639dda2d847c769b826748f5c1a59278b05331329039b3cd3459790d5b361068d36293886e35b26e4e2ab0ebedb0b75884fe

Download Submit
C:\Windows\windwos.exe

Filesize
695KB

MD5
bcb8d7a53953e95be674eed01818bbf6

SHA1
f58c16e1809a4f6cf42e655f52f3c062afb43869

SHA256
4c6464e472c0b92872637dfa5e52cc85c0085bafb103cd924199c9fcc49e54ad

SHA512
3ad305ed7a09bd4a163a48b7142b3d865d62858e0141580c0ca739397e281bd8aa25c40f508d7c01c21dd941f3cf60a183c337561b1c7e4b0e110b96a8b6cf5c

Download Submit
memory/1292-54-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/1292-57-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/1292-66-0x00000000020B0000-0x00000000020F0000-memory.dmp

Filesize
256KB

Download
memory/1292-67-0x00000000020B0000-0x00000000020F0000-memory.dmp

Filesize
256KB

Download
memory/1292-68-0x00000000020B0000-0x00000000020F0000-memory.dmp

Filesize
256KB

Download
memory/1292-37-0x00000000020B0000-0x00000000020F0000-memory.dmp

Filesize
256KB

Download
memory/1292-69-0x00000000020B0000-0x00000000020F0000-memory.dmp

Filesize
256KB

Download
memory/1292-70-0x00000000020B0000-0x00000000020F0000-memory.dmp

Filesize
256KB

Download
memory/1292-71-0x00000000020B0000-0x00000000020F0000-memory.dmp

Filesize
256KB

Download
memory/1292-65-0x00000000020B0000-0x00000000020F0000-memory.dmp

Filesize
256KB

Download
memory/1292-64-0x00000000020B0000-0x00000000020F0000-memory.dmp

Filesize
256KB

Download
memory/1292-63-0x00000000020B0000-0x00000000020F0000-memory.dmp

Filesize
256KB

Download
memory/1292-62-0x00000000020B0000-0x00000000020F0000-memory.dmp

Filesize
256KB

Download
memory/1292-38-0x00000000020B0000-0x00000000020F0000-memory.dmp

Filesize
256KB

Download
memory/1292-61-0x00000000020B0000-0x00000000020F0000-memory.dmp

Filesize
256KB

Download
memory/1292-60-0x00000000020B0000-0x00000000020F0000-memory.dmp

Filesize
256KB

Download
memory/1292-59-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/1292-39-0x00000000020B0000-0x00000000020F0000-memory.dmp

Filesize
256KB

Download
memory/1292-58-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/1292-55-0x0000000000A80000-0x0000000000AD4000-memory.dmp

Filesize
336KB

Download
memory/1292-56-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/1292-48-0x0000000001420000-0x0000000001421000-memory.dmp

Filesize
4KB

Download
memory/1292-47-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/1292-46-0x00000000020B0000-0x00000000020F0000-memory.dmp

Filesize
256KB

Download
memory/1292-45-0x00000000020B0000-0x00000000020F0000-memory.dmp

Filesize
256KB

Download
memory/1292-40-0x00000000020B0000-0x00000000020F0000-memory.dmp

Filesize
256KB

Download
memory/1292-44-0x00000000020B0000-0x00000000020F0000-memory.dmp

Filesize
256KB

Download
memory/1292-33-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/1292-32-0x0000000000A80000-0x0000000000AD4000-memory.dmp

Filesize
336KB

Download
memory/1292-35-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/1292-34-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/1292-36-0x00000000020B0000-0x00000000020F0000-memory.dmp

Filesize
256KB

Download
memory/1292-43-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/1292-42-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/1292-41-0x00000000020B0000-0x00000000020F0000-memory.dmp

Filesize
256KB

Download
memory/4088-19-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/4088-29-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4088-15-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/4088-7-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/4088-3-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/4088-26-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/4088-25-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/4088-24-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/4088-23-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/4088-51-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/4088-52-0x0000000000A30000-0x0000000000A84000-memory.dmp

Filesize
336KB

Download
memory/4088-1-0x0000000000A30000-0x0000000000A84000-memory.dmp

Filesize
336KB

Download
memory/4088-0-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/4088-22-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/4088-21-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/4088-20-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/4088-2-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/4088-18-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/4088-17-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/4088-16-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/4088-14-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/4088-13-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/4088-12-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/4088-11-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/4088-10-0x0000000003400000-0x0000000003401000-memory.dmp

Filesize
4KB

Download
memory/4088-9-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/4088-8-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/4088-6-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/4088-5-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/4088-4-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download