16cbab099349eda41a98825326580a9ca1477de905e1e9c379eb96421fe6f132

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 08:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c8213f16c012dc03afb6fb689dfd8033.exe
Size

384KB
MD5

c8213f16c012dc03afb6fb689dfd8033
SHA1

2b87b8d366f219ae87baf1ee50a77befa3749467
SHA256

16cbab099349eda41a98825326580a9ca1477de905e1e9c379eb96421fe6f132
SHA512

5dd88e9c9928273bac6f5f3d08e70dd5e0ddc74c3d65bfbf765c6bb1803d7b02c721867cafa5c3abd1f1c43df8d7c380ec550b03c46dd7b896165d33782e6d2e
SSDEEP

6144:mEg9kdTTFYvofUWJOWcVB7+4o99WTa/9Z50AdwM3GpK9XunQDX1C:mB9k9TYMg+4o99+iEQTGUwnSFC

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3928	kI01803PaBjI01803.exe

Executes dropped EXE 1 IoCs

pid	Process
3928	kI01803PaBjI01803.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3076-1-0x0000000000400000-0x00000000004EE000-memory.dmp	upx
behavioral2/memory/3076-13-0x0000000000400000-0x00000000004EE000-memory.dmp	upx
behavioral2/memory/3928-19-0x0000000000400000-0x00000000004EE000-memory.dmp	upx
behavioral2/memory/3928-22-0x0000000000400000-0x00000000004EE000-memory.dmp	upx
behavioral2/memory/3928-29-0x0000000000400000-0x00000000004EE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kI01803PaBjI01803 = "C:\\ProgramData\\kI01803PaBjI01803\\kI01803PaBjI01803.exe"	kI01803PaBjI01803.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3652	3076	WerFault.exe	86
2284	3928	WerFault.exe	98

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3076	c8213f16c012dc03afb6fb689dfd8033.exe
3076	c8213f16c012dc03afb6fb689dfd8033.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3076	c8213f16c012dc03afb6fb689dfd8033.exe
Token: SeDebugPrivilege	3928	kI01803PaBjI01803.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3928	kI01803PaBjI01803.exe
3928	kI01803PaBjI01803.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 3928	3076	c8213f16c012dc03afb6fb689dfd8033.exe	98
PID 3076 wrote to memory of 3928	3076	c8213f16c012dc03afb6fb689dfd8033.exe	98
PID 3076 wrote to memory of 3928	3076	c8213f16c012dc03afb6fb689dfd8033.exe	98

C:\Users\Admin\AppData\Local\Temp\c8213f16c012dc03afb6fb689dfd8033.exe
"C:\Users\Admin\AppData\Local\Temp\c8213f16c012dc03afb6fb689dfd8033.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 672
  2⤵
  - Program crash
  PID:3652
- C:\ProgramData\kI01803PaBjI01803\kI01803PaBjI01803.exe
  "C:\ProgramData\kI01803PaBjI01803\kI01803PaBjI01803.exe" "C:\Users\Admin\AppData\Local\Temp\c8213f16c012dc03afb6fb689dfd8033.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3928
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 668
    3⤵
    - Program crash
    PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3076 -ip 3076
1⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3928 -ip 3928
1⤵
PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kI01803PaBjI01803\kI01803PaBjI01803

Filesize
192B

MD5
9ffc2cf8216242539ca937e398ae4610

SHA1
ad157288c0e8e67542f16502f310e5a45ef274d8

SHA256
b205198c3b7f138d7d3478a7af544ce896cda7173a75a583b51f65ea089617f9

SHA512
92a1b0ca485d63caf7b0af67cb67336e884952a44c639f735e261e10ffcf6d9ba3ba36db41eac8916b697f7e0f0a92339793e0b923d2fce0f7f007bb514a6853

Download Submit
C:\ProgramData\kI01803PaBjI01803\kI01803PaBjI01803.exe

Filesize
384KB

MD5
7055238289a2452e342f32c25e12c234

SHA1
0322ee386bae275fbbdd15f2614e495d4fb8cb60

SHA256
dbcbfb8aa6c97284642127e66d29c9633ed48728f0836181c393a7fbcf3a8f56

SHA512
aad1d27282a3b52ccc3ad790077b1992fa5cf9b0a72d0d3e89be3677ffa48eac053edc7813076ebd1cd75bb7469482106b52080e6cc00f9216ddfa16b130806f

Download Submit
memory/3076-0-0x0000000002200000-0x0000000002202000-memory.dmp

Filesize
8KB

Download
memory/3076-1-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3076-13-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3928-19-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3928-22-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3928-29-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download