ad0d8c4b22e9ae3fcb83dfc0cd8113c9013e6945924bf6aeb0e9bb6d797b43cb

Analysis

max time kernel
141s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4b4bf7d9089788bb7f19f7a8e527d4f.exe
Size

3.4MB
MD5

c4b4bf7d9089788bb7f19f7a8e527d4f
SHA1

182cf7e4e5d011523a891286fab19d747f098da0
SHA256

ad0d8c4b22e9ae3fcb83dfc0cd8113c9013e6945924bf6aeb0e9bb6d797b43cb
SHA512

90443c5cdd8b4951aa6ded40acd163c4ab8beee5ea23e9ac8e9d683aea7520e4c6e00bf52ea984fa5d3e686f1aa0b7d06df3bd6880bc5511bdcaa1515eafcc26
SSDEEP

98304:JYy2g2eODGhQekoXmduwGrJU58o9eHmkqh+y:GgQDk2Si58o9eTqh+

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ltdVK8u.exe	c4b4bf7d9089788bb7f19f7a8e527d4f.exe

Executes dropped EXE 2 IoCs

pid	Process
2612	ltdVK8u.exe
2872	ltdVK8u.exe

Loads dropped DLL 6 IoCs

pid	Process
2820	c4b4bf7d9089788bb7f19f7a8e527d4f.exe
2820	c4b4bf7d9089788bb7f19f7a8e527d4f.exe
2612	ltdVK8u.exe
2432	WerFault.exe
2432	WerFault.exe
2432	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2432	2872	WerFault.exe	31

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2872	ltdVK8u.exe
2872	ltdVK8u.exe
2872	ltdVK8u.exe
2872	ltdVK8u.exe
2872	ltdVK8u.exe
2872	ltdVK8u.exe
2872	ltdVK8u.exe
2872	ltdVK8u.exe
2872	ltdVK8u.exe
2872	ltdVK8u.exe
2872	ltdVK8u.exe
2872	ltdVK8u.exe
2872	ltdVK8u.exe
2872	ltdVK8u.exe
2872	ltdVK8u.exe
2872	ltdVK8u.exe
2872	ltdVK8u.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2820	2784	c4b4bf7d9089788bb7f19f7a8e527d4f.exe	28
PID 2784 wrote to memory of 2820	2784	c4b4bf7d9089788bb7f19f7a8e527d4f.exe	28
PID 2784 wrote to memory of 2820	2784	c4b4bf7d9089788bb7f19f7a8e527d4f.exe	28
PID 2784 wrote to memory of 2820	2784	c4b4bf7d9089788bb7f19f7a8e527d4f.exe	28
PID 2820 wrote to memory of 2612	2820	c4b4bf7d9089788bb7f19f7a8e527d4f.exe	30
PID 2820 wrote to memory of 2612	2820	c4b4bf7d9089788bb7f19f7a8e527d4f.exe	30
PID 2820 wrote to memory of 2612	2820	c4b4bf7d9089788bb7f19f7a8e527d4f.exe	30
PID 2820 wrote to memory of 2612	2820	c4b4bf7d9089788bb7f19f7a8e527d4f.exe	30
PID 2612 wrote to memory of 2872	2612	ltdVK8u.exe	31
PID 2612 wrote to memory of 2872	2612	ltdVK8u.exe	31
PID 2612 wrote to memory of 2872	2612	ltdVK8u.exe	31
PID 2612 wrote to memory of 2872	2612	ltdVK8u.exe	31
PID 2872 wrote to memory of 2400	2872	ltdVK8u.exe	32
PID 2872 wrote to memory of 2400	2872	ltdVK8u.exe	32
PID 2872 wrote to memory of 2400	2872	ltdVK8u.exe	32
PID 2872 wrote to memory of 2400	2872	ltdVK8u.exe	32
PID 2872 wrote to memory of 2432	2872	ltdVK8u.exe	33
PID 2872 wrote to memory of 2432	2872	ltdVK8u.exe	33
PID 2872 wrote to memory of 2432	2872	ltdVK8u.exe	33
PID 2872 wrote to memory of 2432	2872	ltdVK8u.exe	33

C:\Users\Admin\AppData\Local\Temp\c4b4bf7d9089788bb7f19f7a8e527d4f.exe
"C:\Users\Admin\AppData\Local\Temp\c4b4bf7d9089788bb7f19f7a8e527d4f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Users\Admin\AppData\Local\Temp\c4b4bf7d9089788bb7f19f7a8e527d4f.exe
  "C:\Users\Admin\AppData\Local\Temp\c4b4bf7d9089788bb7f19f7a8e527d4f.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ltdVK8u.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ltdVK8u.exe" "C:\Users\Admin\AppData\Local\Temp\c4b4bf7d9089788bb7f19f7a8e527d4f.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ltdVK8u.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ltdVK8u.exe" "C:\Users\Admin\AppData\Local\Temp\c4b4bf7d9089788bb7f19f7a8e527d4f.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe"
        5⤵
        
        PID:2400
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 260
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ltdVK8u.exe

Filesize
3.4MB

MD5
4e352d693c6cf74df1f2505b07116719

SHA1
ce0386ce4fe7cc22119bc1ef445b8d612013dfc8

SHA256
109b255b149c11fd7ab32a44e4a7f91009cc6b41f0cb0a58729f7b19a5611428

SHA512
64512565ea610a7c43f2909c5b6a329abfee4fdb7d8b67047a248b644ec42c4cdde76e0ce6a797919bf0431e0a6b10f3efe6d300395a841fdfa57a5e794bfb5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ltdVK8u.exe

Filesize
2.0MB

MD5
3adeed35767449b091368236ffa8aba6

SHA1
59efe9626343f28897a1a49adf82386f8b586536

SHA256
00e64a97022a18ccccaa5119c500d4bbc0ccb949a09a2f4ffc6398edbb8fbf29

SHA512
75c133d2770a84ff37e2d37690ad7dff914cb25e0290771ea5f531c58f9fd377771edd7f971d477e1d9a84aad4a4114df9cbc01c375cd03369daa137837aa8c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ltdVK8u.exe

Filesize
1.4MB

MD5
c0e502d6a29dad6fcd6d3a1264783495

SHA1
8cfe4a12589b5dff687c83a495a2ecb78ec17be9

SHA256
60a9d1d857a7d6cb44edd4935f4b8d2836c01efd06586378a9f6127a6c4846be

SHA512
b7018eed37c2b76ebdc1ae2f5675da7e1dcd2744fd195d59cbacbdcf90961e9ca18830209ffba8dd2ce0c09447cbb973b20948af34105c65fc210d860c5bec39

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ltdVK8u.exe

Filesize
1.3MB

MD5
6c265906f1d681984182b762f4c14b4e

SHA1
5477d47696678f9c99e0ba6bdd3f3043ef308178

SHA256
b8177d41ad9b3722b76e1539e57eb2352951ffa90f3345ac97866690a5ca0a50

SHA512
41c94546e4fd67ca48e497914198e163d855250223f17cba610284b33517295e97a3d1f2f66b656dad1bbf7ca43aaaeacadf5709ba74cf480eee1a9a6b3a4d98

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ltdVK8u.exe

Filesize
1.5MB

MD5
e5c8716ed94dca32ddb3a723ed38c7d0

SHA1
04a3a6389fec86dcd2cab04bfc54b7e06033f649

SHA256
ce4c9fc343a6a0af5a016ce2fafc5745dc94d2838c06ab7ca9a8b0527d901fa9

SHA512
bc88580f95c56d835f6c9b8056e68ea3c5cdc4df923305a1613b060c94cb36c80ee0ea8085c7cbd6015390acd02313e49bceeda77c4045b79df81f957f10be1b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ltdVK8u.exe

Filesize
768KB

MD5
56d0b76f4aa1968edb7a0cd8afca88c1

SHA1
d8cc8d0c680d3c74ca1378fed26967bfa887cd35

SHA256
dbc9d534988a055ae55893539afd399cdb7024e232ca7bdceb253fa5ec15c194

SHA512
a2f8a4ce981795759a61da88878e0641ab37c39e3454b3f89ea910012cccc0c98def3e496df63e6f6dc9f9307350a82bac4f6bd59ce768524a371e5310abdc87

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ltdVK8u.exe

Filesize
704KB

MD5
7833813f6d4e7aea60f487ba9a3005e4

SHA1
dcf598d93e723eaa6c16a2f26d47bd9f3fa655ca

SHA256
c2c9e001492a9ed0d7801115c39ed5ae6dc9a9dcf18227c25e7d93d5ab8b63b8

SHA512
d88b361cdaeb9936f8b9abb0f8f9b1b429395513e63a7dacaefd19f6e54f1db4af25023c561512d774d371f8b9f53a23db635d2ca6ae8ef8414d314063fa69dd

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ltdVK8u.exe

Filesize
2.8MB

MD5
c3ae24a16e5fd6fce743adcdaa7e0ab0

SHA1
537480c9ed8ad8b2f109861fb396858e5ff7b396

SHA256
85c28f4ee000a7208e04c2cf3d8aec91779f6424d3076f14174eb6f764aa82b1

SHA512
4ceb0abf39bd1267e82a979283af09f699a7714b35285d842ef9494d5db34365d122fd449eb8b66e288343e644c08288a6a77167b8605ac924480af0847e758e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ltdVK8u.exe

Filesize
3.2MB

MD5
6f599dd47c175c25399e6603d3d63bb5

SHA1
8aa40a263a7a8e9282a934932d4cad24e317fc09

SHA256
aa6f94cd51c1b1e5d96d7e9b6855e7d7539f4771439f3a162214c6122c076df1

SHA512
ad0aa579b5be45895d9fe268fd2d6d42b9c4b8275482d71a866888d00efa45473d69102019aaef5b608c9f54d9c6916cf65210c1185bd626718dc756db511ed9

Download Submit
memory/2612-22-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2612-16-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2784-0-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2784-1-0x0000000002190000-0x000000000258E000-memory.dmp

Filesize
4.0MB

Download
memory/2820-13-0x0000000000320000-0x00000000003BE000-memory.dmp

Filesize
632KB

Download
memory/2820-14-0x00000000052A0000-0x000000000569E000-memory.dmp

Filesize
4.0MB

Download
memory/2820-12-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2820-7-0x00000000052A0000-0x000000000569E000-memory.dmp

Filesize
4.0MB

Download
memory/2820-2-0x0000000000320000-0x00000000003BE000-memory.dmp

Filesize
632KB

Download
memory/2820-30-0x00000000052A0000-0x000000000569E000-memory.dmp

Filesize
4.0MB

Download
memory/2872-21-0x0000000002370000-0x000000000240E000-memory.dmp

Filesize
632KB

Download
memory/2872-24-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/2872-23-0x00000000771A0000-0x00000000771A1000-memory.dmp

Filesize
4KB

Download
memory/2872-25-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2872-32-0x0000000002370000-0x000000000240E000-memory.dmp

Filesize
632KB

Download