b2417b323aec52f1ffbbdbe908c5778116caf588378364b109e606892b58f912

Analysis

max time kernel
142s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 05:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5536e526c9c4948dad7f4417f9b671c.exe
Size

747KB
MD5

d5536e526c9c4948dad7f4417f9b671c
SHA1

fe52bd3df4e8910b27151c65db08c548dff16c2c
SHA256

b2417b323aec52f1ffbbdbe908c5778116caf588378364b109e606892b58f912
SHA512

757cfc637499203e6bb308f2d5b17d37c3be93857fcfa34830f07fdd33bdc26fb59179dc3df11e1726dcd7b6fcbcbea0e777828325925623a5f92e1ceb8ab1eb
SSDEEP

12288:uYhdTxARNHD/MejMps3kEyKBjCt407EhNnZwek8eF3Z4mxxIkKeTq+4aFKaXgstB:jzTxARNjUeqaXBOt42EzZfk8eQmXIiTV

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2560	RunMgr.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\RunMgr.EXE	d5536e526c9c4948dad7f4417f9b671c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2668	2560	WerFault.exe	28
3004	2848	WerFault.exe	27

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2848	d5536e526c9c4948dad7f4417f9b671c.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2560	2848	d5536e526c9c4948dad7f4417f9b671c.exe	28
PID 2848 wrote to memory of 2560	2848	d5536e526c9c4948dad7f4417f9b671c.exe	28
PID 2848 wrote to memory of 2560	2848	d5536e526c9c4948dad7f4417f9b671c.exe	28
PID 2848 wrote to memory of 2560	2848	d5536e526c9c4948dad7f4417f9b671c.exe	28
PID 2848 wrote to memory of 2764	2848	d5536e526c9c4948dad7f4417f9b671c.exe	29
PID 2848 wrote to memory of 2764	2848	d5536e526c9c4948dad7f4417f9b671c.exe	29
PID 2848 wrote to memory of 2764	2848	d5536e526c9c4948dad7f4417f9b671c.exe	29
PID 2848 wrote to memory of 2764	2848	d5536e526c9c4948dad7f4417f9b671c.exe	29
PID 2560 wrote to memory of 2668	2560	RunMgr.EXE	30
PID 2560 wrote to memory of 2668	2560	RunMgr.EXE	30
PID 2560 wrote to memory of 2668	2560	RunMgr.EXE	30
PID 2560 wrote to memory of 2668	2560	RunMgr.EXE	30
PID 2848 wrote to memory of 2412	2848	d5536e526c9c4948dad7f4417f9b671c.exe	32
PID 2848 wrote to memory of 2412	2848	d5536e526c9c4948dad7f4417f9b671c.exe	32
PID 2848 wrote to memory of 2412	2848	d5536e526c9c4948dad7f4417f9b671c.exe	32
PID 2848 wrote to memory of 2412	2848	d5536e526c9c4948dad7f4417f9b671c.exe	32
PID 2848 wrote to memory of 3004	2848	d5536e526c9c4948dad7f4417f9b671c.exe	33
PID 2848 wrote to memory of 3004	2848	d5536e526c9c4948dad7f4417f9b671c.exe	33
PID 2848 wrote to memory of 3004	2848	d5536e526c9c4948dad7f4417f9b671c.exe	33
PID 2848 wrote to memory of 3004	2848	d5536e526c9c4948dad7f4417f9b671c.exe	33

C:\Users\Admin\AppData\Local\Temp\d5536e526c9c4948dad7f4417f9b671c.exe
"C:\Users\Admin\AppData\Local\Temp\d5536e526c9c4948dad7f4417f9b671c.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\RunMgr.EXE
  "C:\Windows\RunMgr.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 88
    3⤵
    - Program crash
    PID:2668
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c del %SystemRoot%\Debug.exe
  2⤵
  PID:2764
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\D5536E~1.EXE > nul
  2⤵
  PID:2412
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 316
  2⤵
  - Program crash
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\RunMgr.EXE

Filesize
382KB

MD5
fe1c238e5d56b2ba56db1ee0697d5a26

SHA1
1fa8658764ff0f33ecaae23cb966a692d2cc16e5

SHA256
3a8dfbf9846807917f7f0e65702ddbc77baaba5f3930bbde9472d6d19974a784

SHA512
152040c8064976b0fb353bedc5825773bf930ecdf85d2d1248e82d5f099151f570044368ba0de1ae1c92d322ed71beb1001bb629ee870ad77a2f8eb086347300

Download Submit
memory/2848-19-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2848-26-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/2848-2-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2848-6-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2848-17-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2848-16-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2848-15-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2848-14-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2848-13-0x00000000031E0000-0x00000000031E2000-memory.dmp

Filesize
8KB

Download
memory/2848-27-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/2848-11-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/2848-10-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2848-9-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2848-7-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2848-5-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2848-24-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/2848-1-0x0000000000360000-0x00000000003B4000-memory.dmp

Filesize
336KB

Download
memory/2848-0-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2848-3-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2848-25-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2848-12-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2848-28-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/2848-29-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

Filesize
4KB

Download
memory/2848-30-0x0000000001D90000-0x0000000001D91000-memory.dmp

Filesize
4KB

Download
memory/2848-31-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2848-32-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

Filesize
4KB

Download
memory/2848-33-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Filesize
4KB

Download
memory/2848-34-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/2848-36-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2848-38-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2848-39-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2848-37-0x0000000003240000-0x0000000003241000-memory.dmp

Filesize
4KB

Download
memory/2848-35-0x00000000031D0000-0x00000000031D2000-memory.dmp

Filesize
8KB

Download
memory/2848-40-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/2848-41-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2848-42-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2848-43-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2848-44-0x0000000000360000-0x00000000003B4000-memory.dmp

Filesize
336KB

Download