8fd87bd55cdb46b5bee7e431fd7fe7da152a2ec0d511179afdab8fcd369bd036

Analysis

max time kernel
148s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12/03/2024, 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3ef9cb45f5cc4b446a43056ec73a48b.exe
Size

3.4MB
MD5

c3ef9cb45f5cc4b446a43056ec73a48b
SHA1

f9e774d51a2e869da2d153609b4fc3c2497dbc63
SHA256

8fd87bd55cdb46b5bee7e431fd7fe7da152a2ec0d511179afdab8fcd369bd036
SHA512

cb60efb057bae4764c3fb3ee3ae4da1ed95a72155dc7f9f28e7ded64e70a6643e33f0f8061fb69fbb7d8a18c869df76f8a9af692e954121fb9d7e75df9d19e31
SSDEEP

49152:OsmJOgW/G5HEJDI3pzZVKItiZlermD3jz/Tygr6tKyQtzyVhDpyLajBHj4f6gZBs:OsiWgn3XsI65//JG+CPbRjrgZQ0c

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RbgTuUdYak.exe	c3ef9cb45f5cc4b446a43056ec73a48b.exe

Executes dropped EXE 2 IoCs

pid	Process
2632	RbgTuUdYak.exe
2616	RbgTuUdYak.exe

Loads dropped DLL 6 IoCs

pid	Process
2488	c3ef9cb45f5cc4b446a43056ec73a48b.exe
2488	c3ef9cb45f5cc4b446a43056ec73a48b.exe
2632	RbgTuUdYak.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2168	2616	WerFault.exe	31

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2616	RbgTuUdYak.exe
2616	RbgTuUdYak.exe
2616	RbgTuUdYak.exe
2616	RbgTuUdYak.exe
2616	RbgTuUdYak.exe
2616	RbgTuUdYak.exe
2616	RbgTuUdYak.exe
2616	RbgTuUdYak.exe
2616	RbgTuUdYak.exe
2616	RbgTuUdYak.exe
2616	RbgTuUdYak.exe
2616	RbgTuUdYak.exe
2616	RbgTuUdYak.exe
2616	RbgTuUdYak.exe
2616	RbgTuUdYak.exe
2616	RbgTuUdYak.exe
2616	RbgTuUdYak.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2488	2020	c3ef9cb45f5cc4b446a43056ec73a48b.exe	28
PID 2020 wrote to memory of 2488	2020	c3ef9cb45f5cc4b446a43056ec73a48b.exe	28
PID 2020 wrote to memory of 2488	2020	c3ef9cb45f5cc4b446a43056ec73a48b.exe	28
PID 2020 wrote to memory of 2488	2020	c3ef9cb45f5cc4b446a43056ec73a48b.exe	28
PID 2488 wrote to memory of 2632	2488	c3ef9cb45f5cc4b446a43056ec73a48b.exe	30
PID 2488 wrote to memory of 2632	2488	c3ef9cb45f5cc4b446a43056ec73a48b.exe	30
PID 2488 wrote to memory of 2632	2488	c3ef9cb45f5cc4b446a43056ec73a48b.exe	30
PID 2488 wrote to memory of 2632	2488	c3ef9cb45f5cc4b446a43056ec73a48b.exe	30
PID 2632 wrote to memory of 2616	2632	RbgTuUdYak.exe	31
PID 2632 wrote to memory of 2616	2632	RbgTuUdYak.exe	31
PID 2632 wrote to memory of 2616	2632	RbgTuUdYak.exe	31
PID 2632 wrote to memory of 2616	2632	RbgTuUdYak.exe	31
PID 2616 wrote to memory of 2480	2616	RbgTuUdYak.exe	32
PID 2616 wrote to memory of 2480	2616	RbgTuUdYak.exe	32
PID 2616 wrote to memory of 2480	2616	RbgTuUdYak.exe	32
PID 2616 wrote to memory of 2480	2616	RbgTuUdYak.exe	32
PID 2616 wrote to memory of 2168	2616	RbgTuUdYak.exe	34
PID 2616 wrote to memory of 2168	2616	RbgTuUdYak.exe	34
PID 2616 wrote to memory of 2168	2616	RbgTuUdYak.exe	34
PID 2616 wrote to memory of 2168	2616	RbgTuUdYak.exe	34

C:\Users\Admin\AppData\Local\Temp\c3ef9cb45f5cc4b446a43056ec73a48b.exe
"C:\Users\Admin\AppData\Local\Temp\c3ef9cb45f5cc4b446a43056ec73a48b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\c3ef9cb45f5cc4b446a43056ec73a48b.exe
  "C:\Users\Admin\AppData\Local\Temp\c3ef9cb45f5cc4b446a43056ec73a48b.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RbgTuUdYak.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RbgTuUdYak.exe" "C:\Users\Admin\AppData\Local\Temp\c3ef9cb45f5cc4b446a43056ec73a48b.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RbgTuUdYak.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RbgTuUdYak.exe" "C:\Users\Admin\AppData\Local\Temp\c3ef9cb45f5cc4b446a43056ec73a48b.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe"
        5⤵
        
        PID:2480
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 260
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RbgTuUdYak.exe

Filesize
1.0MB

MD5
224f14bf4b0d5606a84aaa528f25cf23

SHA1
4ce686f559cf4d953dab964595a779bd75525c04

SHA256
ac25b6be16c30ce41758afd1e2ca741a34f5560194d5b6a52116f51ac4f6f6bf

SHA512
b857461cbac92725ae84ac02dacb34b4e3d1bfe4d796a48ea768507f32346f1e174b497e5899103abe1a0db6536ed29b439b16671acd5c1b457598a2f3d1bd52

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RbgTuUdYak.exe

Filesize
1.0MB

MD5
fe9f734a2d720829819a93a7f8e8fd41

SHA1
c17e8e57b1f730e47d12f6b526fdfc70f82be28e

SHA256
afe1fd9cec3800f9db14852bf895d8bf9b4ae4f6eeb52651f1b0e25297b1a961

SHA512
3195ae2ad24b3a1d6229de563b72644974e57f2078be1aab1d6064aa309ac85fedf900831f17808adecc2ffb46188a63e4848f8a1c0bec148551ae99d4ee5153

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RbgTuUdYak.exe

Filesize
1.2MB

MD5
39a674346ef180eeb158bcd0b2f90dcf

SHA1
21c781b12318ff83eecc7a74f1a2b46957faab43

SHA256
82157d051988b1468e6e9ada9391b0a03da041fbc892bd38070c2851a7826081

SHA512
0265b7ee0e824b6f91173ba754e5760050a906db8c47a4bd4b1eff27500f4a52ca519b5bca19971887c4f57203a6e56ad528ebe6b8e6a00e696a95c76b509c52

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RbgTuUdYak.exe

Filesize
1.1MB

MD5
06a098ba1c0626935b2c77530c31da2a

SHA1
b9bf6e6e13e8e3ca597612d170d8fcba007f13a7

SHA256
3010e98a5f4ac0c2412eccbec99049b7fa274e846b914a8b6a58bc61f62dd226

SHA512
73e5bfd1055b65c12756414a2f07666e8cb46951fc46be753e347402ba7792eb6ab509f75ef2938c39db53f898b834186e513a30841132f8a154b66e9a468ba9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RbgTuUdYak.exe

Filesize
991KB

MD5
ddd43d87c5449af72d4bf7a104e9a465

SHA1
b9ca2a5b9799d683daaa48e38535003bcf785a1b

SHA256
957bee57ece51d4527000d31fdf19e6d27c3baf82fff8e1ac58bd494e62ee68c

SHA512
1a7345de15e0f80664cd8e38158a415103287c34c4851c5f87a7dfe94cc8f7c9ae2dc9f8c66d4d96f62b2c4d7286f1b7e29775c836680d8052e450a9346ba48b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RbgTuUdYak.exe

Filesize
3.4MB

MD5
4507cc5443f673d6482629a4b4b1c589

SHA1
5de1bc5f5c554aa8bf83e68e8b4edca8686842ca

SHA256
7d8ccc12edeccc85d15ef2796b52ae9fe738269683bd6ef6f08524e78357e155

SHA512
6e1a4062496c04b82d6aa004c119a2a7bdd081f8ce53db22c6d0e3cc4923ded056e93651dc7ce8111af5aeb76437b5e941438c49f3fc3285e5ddd66f0f0f1a83

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RbgTuUdYak.exe

Filesize
3.3MB

MD5
a6d8b34dfcdf06e738e4470b0c6099ce

SHA1
59eef956a2bb16a014c84d8d99ee5ed726adbaa5

SHA256
8a1807e076c63b485d83707cb99e93ea61042a0b2e5b1e08ff118f47afe68b6c

SHA512
d81fd964e567612cb3f6256560d0857981b6cc648617b355297127399f1b04608a33e0a6c3d6abe03187f333b1a998b35fe256380786a43d486e4248c4ccf100

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RbgTuUdYak.exe

Filesize
2.1MB

MD5
ee6a04ece478a21712e3e4468a3e5607

SHA1
e48d83d22c2f3c72a6c63d07bec1bdbe2a802249

SHA256
24f71a146aba0b7d28c631b4b8d1db7415a122ac5330138e99643b24cbf54755

SHA512
85b626ca732fe4ceb41248abd7d350daaf27faceef687606745172c94b0191acdc12dcb32fa8b79fd2c8abd34dde18ca83dbeb19e2ee47bf0aa7ff89f5f99917

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RbgTuUdYak.exe

Filesize
1.1MB

MD5
04d02e5d3dd55651b0f7a26010b26dcb

SHA1
12f5a080d6ce0c2c277c85ce77764524bbac870a

SHA256
88dc3207d0890fb392f02917a958b62f187d8935a128aaa3042e8f821dee6532

SHA512
e1f38cb841a5a877f7160f377467f77559a1904e65acfc7cee750f674ed063e119c6acdf0f5a6c98768fdb6dd657a0f2cfc234582f52339a681e64a3f57388e5

Download Submit
memory/2020-0-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2020-1-0x00000000020C0000-0x00000000024BE000-memory.dmp

Filesize
4.0MB

Download
memory/2488-20-0x00000000023A0000-0x000000000243E000-memory.dmp

Filesize
632KB

Download
memory/2488-15-0x0000000005A60000-0x0000000005E5E000-memory.dmp

Filesize
4.0MB

Download
memory/2488-14-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2488-2-0x00000000023A0000-0x000000000243E000-memory.dmp

Filesize
632KB

Download
memory/2616-19-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2616-22-0x0000000000800000-0x000000000089E000-memory.dmp

Filesize
632KB

Download
memory/2616-24-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/2616-23-0x0000000077060000-0x0000000077061000-memory.dmp

Filesize
4KB

Download
memory/2616-29-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2616-31-0x0000000000800000-0x000000000089E000-memory.dmp

Filesize
632KB

Download
memory/2616-32-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/2632-17-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2632-18-0x0000000002330000-0x000000000272E000-memory.dmp

Filesize
4.0MB

Download