146a13ff0619dc191a88422c0393601eaa51596b020e9c4244b9c4f2f1020297

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2024, 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e14552ab2611f0bb677a15cb673ea7d5.exe
Size

497KB
MD5

e14552ab2611f0bb677a15cb673ea7d5
SHA1

7d1157a982601536c840c88c7776f495435bd9cd
SHA256

146a13ff0619dc191a88422c0393601eaa51596b020e9c4244b9c4f2f1020297
SHA512

9f413cdb38b9f21e9b0a2f8115d2285e25641f6ffd40358b96ddad1039a4845722220436463c8566d119cce5cf2f86c2569cdb52b5067e84117f42f44676315d
SSDEEP

6144:jk5M5FaYJsX6GH8JadDFIMNQhUGVDAT4l+m/60+B:o92iH8JldDAT4lh/cB

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3556	Rfybea.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4724-0-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral2/memory/4724-1-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral2/files/0x000700000002270c-10.dat	upx
behavioral2/memory/3556-12-0x0000000000400000-0x000000000047E000-memory.dmp	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	e14552ab2611f0bb677a15cb673ea7d5.exe
File created	C:\Windows\Rfybea.exe	e14552ab2611f0bb677a15cb673ea7d5.exe
File opened for modification	C:\Windows\Rfybea.exe	e14552ab2611f0bb677a15cb673ea7d5.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Rfybea.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Rfybea.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	e14552ab2611f0bb677a15cb673ea7d5.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4932	3556	WerFault.exe	91

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Internet Explorer\Main	Rfybea.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe
3556	Rfybea.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 3556	4724	e14552ab2611f0bb677a15cb673ea7d5.exe	91
PID 4724 wrote to memory of 3556	4724	e14552ab2611f0bb677a15cb673ea7d5.exe	91
PID 4724 wrote to memory of 3556	4724	e14552ab2611f0bb677a15cb673ea7d5.exe	91

C:\Users\Admin\AppData\Local\Temp\e14552ab2611f0bb677a15cb673ea7d5.exe
"C:\Users\Admin\AppData\Local\Temp\e14552ab2611f0bb677a15cb673ea7d5.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Windows\Rfybea.exe
  C:\Windows\Rfybea.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:3556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 716
    3⤵
    - Program crash
    PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3556 -ip 3556
1⤵
PID:3504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Rfybea.exe

Filesize
497KB

MD5
e14552ab2611f0bb677a15cb673ea7d5

SHA1
7d1157a982601536c840c88c7776f495435bd9cd

SHA256
146a13ff0619dc191a88422c0393601eaa51596b020e9c4244b9c4f2f1020297

SHA512
9f413cdb38b9f21e9b0a2f8115d2285e25641f6ffd40358b96ddad1039a4845722220436463c8566d119cce5cf2f86c2569cdb52b5067e84117f42f44676315d

Download Submit
C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
362B

MD5
1a7303fac3fa4bc2cd3d69fb7c20cc32

SHA1
0ec5f6c1ee75cb69a5c2f0b25904510caa6483a6

SHA256
823fa6a59352123debed6f616c23b640094ff1281372d97968ca85fee34200e4

SHA512
02ebfd8cedb09eaf3126c0b908f4990ed31dd01c394f0916a09de73dde7019c658845ed1bd4973ccf109e194077863d1255b8121196c64d3a0234f3e03c50024

Download Submit
memory/3556-21-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3556-143906-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3556-40089-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3556-35959-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3556-12-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3556-15-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4724-5-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4724-21119-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4724-0-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4724-2-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/4724-1-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download