Analysis
-
max time kernel
143s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-03-2024 17:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dfbda9ba678ce8e1ac8ae2631a4aff3a.exe
Resource
win7-20240221-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
dfbda9ba678ce8e1ac8ae2631a4aff3a.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
dfbda9ba678ce8e1ac8ae2631a4aff3a.exe
-
Size
347KB
-
MD5
dfbda9ba678ce8e1ac8ae2631a4aff3a
-
SHA1
66493a44365c5121115738585cd747ddc4b74d01
-
SHA256
8397db09c023fa4cd66de4bdd9b75ff86c5be5ab59bd236d4583f57352a2a939
-
SHA512
4923edffd85b76f9c55accfeef5239d48232dfd75da70b7c02ed0e22ef499d957293e185c33f0cdfce0ac9165ad3c50725985bd07c6ed8ea871275d5c5d82419
-
SSDEEP
6144:HO+TyiE8+aqCjToXVpGOZcWixTmAcThAkZThMTMY:JXEkqeolrix1c60yX
Score
6/10
Malware Config
Signatures
-
Drops desktop.ini file(s) 4 IoCs
description ioc Process File opened for modification \??\c:\Program Files\desktop.ini dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File created \??\c:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File created \??\c:\Program Files\desktop.ini dfbda9ba678ce8e1ac8ae2631a4aff3a.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\WindowsFormsIntegration.resources.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\Common Files\System\wab32res.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-console-l1-1-0.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationFramework.Luna.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\mscordbi.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.HttpListener.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Reflection.Emit.Lightweight.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\UIAutomationClientSideProviders.resources.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File created \??\c:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File created \??\c:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.IO.Compression.Native.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\Microsoft.NETCore.App.deps.json dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\lib\jawt.lib dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Text.Encoding.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Threading.Tasks.Extensions.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.IO.IsolatedStorage.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\PresentationCore.resources.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\7-Zip\Lang\nl.txt dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.WebClient.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.Loader.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.Http.Json.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Globalization.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\System.Xaml.resources.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\ReachFramework.resources.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\legal\jdk\xalan.md dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File created \??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-math-l1-1-0.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\deploy.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\jdb.exe dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightItalic.ttf dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Diagnostics.StackTrace.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\ReachFramework.resources.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\ReachFramework.resources.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\PresentationUI.resources.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\bin\j2pcsc.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File created \??\c:\Program Files\Common Files\microsoft shared\ink\ipschs.xml dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\WindowsFormsIntegration.resources.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Printing.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Windows.Forms.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\Welcome.html dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\InkObj.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File created \??\c:\Program Files\Common Files\microsoft shared\ink\ipssve.xml dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\System.Windows.Input.Manipulations.resources.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File created \??\c:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\System.Windows.Controls.Ribbon.resources.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\Java\jre-1.8\lib\charsets.jar dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File created \??\c:\Program Files\Common Files\System\msadc\msdarem.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Security.SecureString.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\7-Zip\Lang\sa.txt dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-filesystem-l1-1-0.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File created \??\c:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-synch-l1-1-0.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Collections.NonGeneric.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Memory.dll dfbda9ba678ce8e1ac8ae2631a4aff3a.exe File opened for modification \??\c:\Program Files\7-Zip\descript.ion dfbda9ba678ce8e1ac8ae2631a4aff3a.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1864 3400 WerFault.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfbda9ba678ce8e1ac8ae2631a4aff3a.exe"C:\Users\Admin\AppData\Local\Temp\dfbda9ba678ce8e1ac8ae2631a4aff3a.exe"1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:3400 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 9842⤵
- Program crash
PID:1864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3744 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:81⤵PID:1880
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3400 -ip 34001⤵PID:2584
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD5b5b682b742431a52ea8b17c72ad9c572
SHA1326320f469235708c59f678c9a7357dca552d306
SHA25630d9045a9f172208b13161d1f5204e5787e5e07bfbb4f490d0041b03b7f44f76
SHA5124e1bd7cc616b3115baf6be7ebd29fe2d1123bc0f25464865a0cf9207b0344fba70747a5ce6f00e8d9c696881f6db1e12f81736bc748b6f2b60bf84c681a49163
-
Filesize
5.4MB
MD561b756391195c4138108d5c5b7171127
SHA12340816facb103ed011ca971d85082791736849c
SHA25645e1b5f0cb4badfcc6817aa58d43812dd1f4d020b9336216f42ad1546c9edc80
SHA51281f1fc41509ccaced4985052577e8ab3ca59f4f6b384e277b6a6f078fcae3266443eb1e87318199cb3ab679a1bff94eb472db5ee3028766864f4bebb928b4977