Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-03-2024 10:49
Static task
static1
Behavioral task
behavioral1
Sample
c86ff2b1f4648317831785c1087509d4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c86ff2b1f4648317831785c1087509d4.exe
Resource
win10v2004-20240226-en
General
-
Target
c86ff2b1f4648317831785c1087509d4.exe
-
Size
47KB
-
MD5
c86ff2b1f4648317831785c1087509d4
-
SHA1
c979e6a69dd18e3c2a6e8e58c672ed58c893f78f
-
SHA256
7367a8bcb732a89445da69c858119a663be4c6c6e6721ba46b353ecfee058ab3
-
SHA512
b738397841113411d5058529851dfb60c66e9787cf2e03cd517a1628cb3a2175839745fc837d2cb7840ecfd987cd95b73a11f07d99ecf6797ba650db8f3621f3
-
SSDEEP
768:3dO63Wv7X5Ei8jBuEoHxEKP/Yo9ErnfvcQbNRgiIf6GVk+Q0kaXO44O:eX5rMBVS/YoKrn8SrIf6G6+zXO4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2680 fxstaller.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows UDP Control Center = "fxstaller.exe" c86ff2b1f4648317831785c1087509d4.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2508 set thread context of 2744 2508 c86ff2b1f4648317831785c1087509d4.exe 28 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\fxstaller.exe c86ff2b1f4648317831785c1087509d4.exe File opened for modification C:\Windows\fxstaller.exe c86ff2b1f4648317831785c1087509d4.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2672 2680 WerFault.exe 29 -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2508 wrote to memory of 2744 2508 c86ff2b1f4648317831785c1087509d4.exe 28 PID 2508 wrote to memory of 2744 2508 c86ff2b1f4648317831785c1087509d4.exe 28 PID 2508 wrote to memory of 2744 2508 c86ff2b1f4648317831785c1087509d4.exe 28 PID 2508 wrote to memory of 2744 2508 c86ff2b1f4648317831785c1087509d4.exe 28 PID 2508 wrote to memory of 2744 2508 c86ff2b1f4648317831785c1087509d4.exe 28 PID 2508 wrote to memory of 2744 2508 c86ff2b1f4648317831785c1087509d4.exe 28 PID 2508 wrote to memory of 2744 2508 c86ff2b1f4648317831785c1087509d4.exe 28 PID 2508 wrote to memory of 2744 2508 c86ff2b1f4648317831785c1087509d4.exe 28 PID 2744 wrote to memory of 2680 2744 c86ff2b1f4648317831785c1087509d4.exe 29 PID 2744 wrote to memory of 2680 2744 c86ff2b1f4648317831785c1087509d4.exe 29 PID 2744 wrote to memory of 2680 2744 c86ff2b1f4648317831785c1087509d4.exe 29 PID 2744 wrote to memory of 2680 2744 c86ff2b1f4648317831785c1087509d4.exe 29 PID 2680 wrote to memory of 2672 2680 fxstaller.exe 30 PID 2680 wrote to memory of 2672 2680 fxstaller.exe 30 PID 2680 wrote to memory of 2672 2680 fxstaller.exe 30 PID 2680 wrote to memory of 2672 2680 fxstaller.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\c86ff2b1f4648317831785c1087509d4.exe"C:\Users\Admin\AppData\Local\Temp\c86ff2b1f4648317831785c1087509d4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\c86ff2b1f4648317831785c1087509d4.exeC:\Users\Admin\AppData\Local\Temp\c86ff2b1f4648317831785c1087509d4.exe2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\fxstaller.exe"C:\Windows\fxstaller.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 724⤵
- Program crash
PID:2672
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47KB
MD5c86ff2b1f4648317831785c1087509d4
SHA1c979e6a69dd18e3c2a6e8e58c672ed58c893f78f
SHA2567367a8bcb732a89445da69c858119a663be4c6c6e6721ba46b353ecfee058ab3
SHA512b738397841113411d5058529851dfb60c66e9787cf2e03cd517a1628cb3a2175839745fc837d2cb7840ecfd987cd95b73a11f07d99ecf6797ba650db8f3621f3