Analysis
-
max time kernel
119s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14/03/2024, 14:08
Static task
static1
Behavioral task
behavioral1
Sample
c8ce4c8f369ecd6d09a8a6b6a6ab4036.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
c8ce4c8f369ecd6d09a8a6b6a6ab4036.exe
Resource
win10v2004-20240226-en
General
-
Target
c8ce4c8f369ecd6d09a8a6b6a6ab4036.exe
-
Size
328KB
-
MD5
c8ce4c8f369ecd6d09a8a6b6a6ab4036
-
SHA1
d57d709bfac190fe1d9f534276807f9a7fb7e80d
-
SHA256
26d02628a31361a685324ba26749014c99f2895e65bc78b49358482a5fffb4b2
-
SHA512
40c121b4545dfe70461783780934e6e084ced34164db0544db4595a7fa3c16b944c94b0323e787934e85894783698dbf0816e404effb5bdb9e4b108054b1e209
-
SSDEEP
6144:BEc828Ea8XDd6GaYDkakxmZQmCkAyYZ9T:BEc8ARz8YDGxm6D5hD
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2488 c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe -
resource yara_rule behavioral2/files/0x000c00000002330d-3.dat upx behavioral2/memory/2488-5-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/2488-16-0x0000000000400000-0x000000000043E000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\spool\PRTPROCS\x64\24059C8.tmp c8ce4c8f369ecd6d09a8a6b6a6ab4036.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3312 2488 WerFault.exe 93 -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 5032 c8ce4c8f369ecd6d09a8a6b6a6ab4036.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5032 wrote to memory of 2488 5032 c8ce4c8f369ecd6d09a8a6b6a6ab4036.exe 93 PID 5032 wrote to memory of 2488 5032 c8ce4c8f369ecd6d09a8a6b6a6ab4036.exe 93 PID 5032 wrote to memory of 2488 5032 c8ce4c8f369ecd6d09a8a6b6a6ab4036.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8ce4c8f369ecd6d09a8a6b6a6ab4036.exe"C:\Users\Admin\AppData\Local\Temp\c8ce4c8f369ecd6d09a8a6b6a6ab4036.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Users\Admin\AppData\Local\Temp\c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exeC:\Users\Admin\AppData\Local\Temp\c8ce4c8f369ecd6d09a8a6b6a6ab4036mgr.exe2⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 5243⤵
- Program crash
PID:3312
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2488 -ip 24881⤵PID:4264
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4056 --field-trial-handle=2272,i,11831746627654527593,10138103687018060346,262144 --variations-seed-version /prefetch:81⤵PID:2376
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
107KB
MD581fb76285084bad225824705f6865a94
SHA1cb36881ed931102f3f86ebf309069f608f17dc7e
SHA2565f1c8013050932e6b70197fbc2216884639ad52d5a9d56a04fffc2408cf43b8b
SHA512acc66f0dad718609d305f83b6e4ef374a4c3409ae0bb81bc4adea129c19b9259c2dc47796853ad906c96aba33de9fa9fa00a8628f2aca0d3e28cec5d767ced64