1b5c8a88096a7d43abdc2295a86d7b6b022f2038638ff5716711feaf6539d357

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2024 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df1578796a37d44be20fff9f1e040a2a.exe
Size

2.3MB
MD5

df1578796a37d44be20fff9f1e040a2a
SHA1

53ec3d8949adc4f8a1e317ffb2b66fe8c5bf1008
SHA256

1b5c8a88096a7d43abdc2295a86d7b6b022f2038638ff5716711feaf6539d357
SHA512

165efdeb675fac5b34ecea57f8a341c757bca7c7a4edcc788c769afb751323f56b92c3bd6c6335510b2501f88eb512468c20392d40a09a5b51732d4aa64a0365
SSDEEP

49152:NYU3y/UFikkRF7BNySqZsUuyGkmChBETp5oqzHjFTHCKhoTF6drI7au:13c57ISqZsSnCzzHgKSF7au

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3840	080717.exe
4296	eMule-0.48a-VeryCD080126-Update.exe

Loads dropped DLL 3 IoCs

pid	Process
4296	eMule-0.48a-VeryCD080126-Update.exe
4296	eMule-0.48a-VeryCD080126-Update.exe
4296	eMule-0.48a-VeryCD080126-Update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3812	3840	WerFault.exe	87

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x000f0000000226fd-7.dat	nsis_installer_1

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4296	eMule-0.48a-VeryCD080126-Update.exe
4296	eMule-0.48a-VeryCD080126-Update.exe
4296	eMule-0.48a-VeryCD080126-Update.exe
4296	eMule-0.48a-VeryCD080126-Update.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 3840	836	df1578796a37d44be20fff9f1e040a2a.exe	87
PID 836 wrote to memory of 3840	836	df1578796a37d44be20fff9f1e040a2a.exe	87
PID 836 wrote to memory of 3840	836	df1578796a37d44be20fff9f1e040a2a.exe	87
PID 836 wrote to memory of 4296	836	df1578796a37d44be20fff9f1e040a2a.exe	95
PID 836 wrote to memory of 4296	836	df1578796a37d44be20fff9f1e040a2a.exe	95
PID 836 wrote to memory of 4296	836	df1578796a37d44be20fff9f1e040a2a.exe	95

C:\Users\Admin\AppData\Local\Temp\df1578796a37d44be20fff9f1e040a2a.exe
"C:\Users\Admin\AppData\Local\Temp\df1578796a37d44be20fff9f1e040a2a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:836
- C:\Users\Admin\AppData\Local\Temp\080717.exe
  C:\Users\Admin\AppData\Local\Temp\\080717.exe
  2⤵
  - Executes dropped EXE
  PID:3840
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 228
    3⤵
    - Program crash
    PID:3812
- C:\Users\Admin\AppData\Local\Temp\eMule-0.48a-VeryCD080126-Update.exe
  C:\Users\Admin\AppData\Local\Temp\\eMule-0.48a-VeryCD080126-Update.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3840 -ip 3840
1⤵
PID:4040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\080717.exe

Filesize
288KB

MD5
f0f98045b25cf4cd015fc76ad1ad387e

SHA1
e0beb1e58644736c35d5488a8d0015d7577df66e

SHA256
4da1abf2a1f0d2387150381a92bddf5d8cc9ec1346a12a10829ac49567a0df9f

SHA512
f36fd0f343776d7d339d33c2cbd100fdcd43870af1cf8683a5280a5fa629c8c9fdf8fea3ba118cdb8fab6c9a12290957c10e7d0ce63d2f822fb3129f08a68daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMule-0.48a-VeryCD080126-Update.exe

Filesize
2.0MB

MD5
1da160b4cea9271f9127fa5e919d25c3

SHA1
de23c56793e33f53bb39515921e200d82cecf9ac

SHA256
897af27f7f0c925a2f3286a65b8832fa595d6ab61f96b7a8b0fbb1f055bb912a

SHA512
211ad8e131bd80d31efa1c73cc1b368761d97c175b16a00c048e51fc24732717757db3256f7e913e374b9c43da89728d229f6ffc25efb93ef98f02f50dfa75f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfDF75.tmp\InstallOptions.dll

Filesize
14KB

MD5
296a5f3179fa8d7a7a855eaf696ede44

SHA1
57aa5b71553ed282dd22c768e039a187f5c13f63

SHA256
ee0ad77e681c4d0fdf1d67df5f4ca03e6bdd8e3b05dfb47a83ad5c733ed62960

SHA512
bc527d1485f468e8d098057e0e38e8cb7aa6eb64d4ca30927b99b1552a3177b132b989015ff95bdf2ca046bf11a54b4b456f51e024fbc734fbb548c3499e53f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfDF75.tmp\ioSpecial.ini

Filesize
761B

MD5
1c20839ea2a5af209c7029f62430d6e6

SHA1
9be8df9cd98fd08831ccfaef01d4cee170882040

SHA256
9cee676ab2ba4a58e19add8febd9f502740e156895569149155a1a2634d904b4

SHA512
e0d82e8495361ff2e4a1341ddb1b093122fe5326370264106998b595f9531de9a32d8bb8fc79c4bc9a03e7f072a0bdc6a7acbff4316fb5076de923feeaadf484

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfDF75.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
memory/836-9-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3840-4-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download