Overview

overview

9

Static

static

3

e06e329a5b...5d.exe

windows7-x64

9

e06e329a5b...5d.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-03-2024 01:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e06e329a5b9b148b9e66f429aadf06b8097517ae039e9c8ec545397c8c6d2f5d.exe

  • Size

    1.3MB

  • MD5

    2926483b6611f9a3424e0cdb361dd9f5

  • SHA1

    01f3178790399645c1b043e668d431edb0cdf789

  • SHA256

    e06e329a5b9b148b9e66f429aadf06b8097517ae039e9c8ec545397c8c6d2f5d

  • SHA512

    d6241193a376204f0224bf21f9b904cb23a4fcfb70f82cd437ada43e91f2ed1e6351840a20cbf89bc87d2b5dee57a070fbef407d024cb07a0efefb8287d13153

  • SSDEEP

    24576:P4nssS9F0wXttCAQSGFv6a/ZS/FtaEvsQ77Lv+f6T8TxL5qb:AnsVF0SqaG96gOFtaEkQbExL50

Score
9/10

Malware Config

Signatures

  • Detects executables (downlaoders) containing URLs to raw contents of a paste 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Program crash 14 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e06e329a5b9b148b9e66f429aadf06b8097517ae039e9c8ec545397c8c6d2f5d.exe
    "C:\Users\Admin\AppData\Local\Temp\e06e329a5b9b148b9e66f429aadf06b8097517ae039e9c8ec545397c8c6d2f5d.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2712
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 344
      2⤵
      • Program crash
      PID:2024
    • C:\Users\Admin\AppData\Local\Temp\e06e329a5b9b148b9e66f429aadf06b8097517ae039e9c8ec545397c8c6d2f5d.exe
      C:\Users\Admin\AppData\Local\Temp\e06e329a5b9b148b9e66f429aadf06b8097517ae039e9c8ec545397c8c6d2f5d.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      PID:4712
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 344
        3⤵
        • Program crash
        PID:3164
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 628
        3⤵
        • Program crash
        PID:2188
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 628
        3⤵
        • Program crash
        PID:1052
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 696
        3⤵
        • Program crash
        PID:932
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 764
        3⤵
        • Program crash
        PID:3680
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 916
        3⤵
        • Program crash
        PID:2044
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 1404
        3⤵
        • Program crash
        PID:116
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 1512
        3⤵
        • Program crash
        PID:1488
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 1644
        3⤵
        • Program crash
        PID:4904
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 1528
        3⤵
        • Program crash
        PID:4644
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 1688
        3⤵
        • Program crash
        PID:3684
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 1660
        3⤵
        • Program crash
        PID:2776
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 632
        3⤵
        • Program crash
        PID:4516
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2712 -ip 2712
    1⤵
      PID:2028
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4712 -ip 4712
      1⤵
        PID:2032
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4712 -ip 4712
        1⤵
          PID:1496
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4712 -ip 4712
          1⤵
            PID:3340
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4712 -ip 4712
            1⤵
              PID:432
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4712 -ip 4712
              1⤵
                PID:2568
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4712 -ip 4712
                1⤵
                  PID:4460
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4712 -ip 4712
                  1⤵
                    PID:5048
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4712 -ip 4712
                    1⤵
                      PID:3344
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4712 -ip 4712
                      1⤵
                        PID:64
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4712 -ip 4712
                        1⤵
                          PID:1876
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4712 -ip 4712
                          1⤵
                            PID:3172
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4712 -ip 4712
                            1⤵
                              PID:2020
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4712 -ip 4712
                              1⤵
                                PID:4384

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Temp\e06e329a5b9b148b9e66f429aadf06b8097517ae039e9c8ec545397c8c6d2f5d.exe
                                Filesize

                                806KB

                                MD5

                                00a09281a08360b0505c8f54265fddf9

                                SHA1

                                1422b96bab7c2ada0aed44d90c5e8eb6b9b878a1

                                SHA256

                                04e15c26a885ca1ce80158cb97fd64444f99ff70d142b1f5d1eaccd1dece6541

                                SHA512

                                846d183b3354352dfd5e2f0b90e6774f8edddfecd53832dc4da64cc9645d0b8f2bbf6884158481db787cf382bc7f09e2bfda131f1ca1b0470c55a5bf0f7c306c

                                Download Submit

                              • memory/2712-0-0x0000000000400000-0x00000000004F1000-memory.dmp

                                Filesize

                                964KB

                                Download

                              • memory/2712-6-0x0000000000400000-0x00000000004F1000-memory.dmp

                                Filesize

                                964KB

                                Download

                              • memory/4712-7-0x0000000000400000-0x00000000004F1000-memory.dmp

                                Filesize

                                964KB

                                Download

                              • memory/4712-8-0x0000000004F80000-0x0000000005071000-memory.dmp

                                Filesize

                                964KB

                                Download

                              • memory/4712-9-0x0000000000400000-0x00000000004A3000-memory.dmp

                                Filesize

                                652KB

                                Download

                              • memory/4712-18-0x0000000000400000-0x0000000000443000-memory.dmp

                                Filesize

                                268KB

                                Download

                              • memory/4712-21-0x000000000B9C0000-0x000000000BA63000-memory.dmp

                                Filesize

                                652KB

                                Download