04e4d18d9029c46da00d048441689bea7a2ad67975958d6a452eb5180c67daa6

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
11-03-2024 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1d6b600261c8fa506046e27639d8104.exe
Size

23KB
MD5

c1d6b600261c8fa506046e27639d8104
SHA1

bbbaabbfde4e94613f690a3b3ece8c12fb3c8d4a
SHA256

04e4d18d9029c46da00d048441689bea7a2ad67975958d6a452eb5180c67daa6
SHA512

2878e066346ea9115e21435c79954ef751b7f42e773c7d298eef41a4b1ef8e733641f5303f1c8ed6bbe655910c0431104af1e539a462af7665a300435e896d14
SSDEEP

384:ENwx70GGigxf+FhQrSmtlWCMHQw2iVPnQ3tJgFwmiBGFPYrtDLma8nyYeC0:b773gx2FhQrdtbMHGQ4vBGhYDLma8ndi

Score

7^/10

upx

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1268	c1d6b600261c8fa506046e27639d8104.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1268-0-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/1268-16-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\efcaacoj.dll	c1d6b600261c8fa506046e27639d8104.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2728	1268	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1268	c1d6b600261c8fa506046e27639d8104.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 2728	1268	c1d6b600261c8fa506046e27639d8104.exe	28
PID 1268 wrote to memory of 2728	1268	c1d6b600261c8fa506046e27639d8104.exe	28
PID 1268 wrote to memory of 2728	1268	c1d6b600261c8fa506046e27639d8104.exe	28
PID 1268 wrote to memory of 2728	1268	c1d6b600261c8fa506046e27639d8104.exe	28

C:\Users\Admin\AppData\Local\Temp\c1d6b600261c8fa506046e27639d8104.exe
"C:\Users\Admin\AppData\Local\Temp\c1d6b600261c8fa506046e27639d8104.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 160
  2⤵
  - Program crash
  PID:2728

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\efcaacoj.dll

Filesize
44KB

MD5
2fd76cb38d38b5bb7c035d477011e75e

SHA1
2d3b5e515db70d09a8763e68136a42d651a8e811

SHA256
fb0745f39d5e264f6fe67398b6f36d6f2108e0ff94cfd339ffa35c44d370a34d

SHA512
a37608c2a29a5bc46cc54298ea592e6978fc7edd4eef53cf804f91b5a6ad0e45bd9f01aba42a365244c4e138f53fb1447f21607caeb89a6170448cde4f76a422

Download Submit
memory/1268-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1268-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1268-6-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1268-7-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1268-4-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1268-3-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1268-2-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1268-10-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1268-11-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1268-12-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1268-13-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1268-14-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/1268-15-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1268-16-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download