Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2024, 19:59
Static task
static1
Behavioral task
behavioral1
Sample
37e02c5103ce940a75439d07fd7f43e4945da7ffb17501b04a137a9969c858a1.exe
Resource
win7-20240221-en
General
-
Target
37e02c5103ce940a75439d07fd7f43e4945da7ffb17501b04a137a9969c858a1.exe
-
Size
602KB
-
MD5
d7d05f1d921be037982d8c1fa20e6be5
-
SHA1
b31b9ea455ce1fc0ad6c8bcdd3a5d923b3b5a60a
-
SHA256
37e02c5103ce940a75439d07fd7f43e4945da7ffb17501b04a137a9969c858a1
-
SHA512
44b7bdb4e3edc8cff779d76730a23bebce25c07ba63a670d26bfbda4bb339dce490f46aba996e8dcbd8d68cbdccc73a1b2504dfaebccacb0a4bb3cc0344884af
-
SSDEEP
6144:r0+URhIb8NDgt1n6+p5XWv5QzQArJa+156g0EP4IZne+Mlcp:vUDIbOgt1n6IdWqHa+15lHZne+Mlcp
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 2 IoCs
resource yara_rule behavioral2/memory/1828-6-0x0000000000400000-0x0000000000432000-memory.dmp UPX behavioral2/memory/1828-7-0x0000000001F80000-0x0000000001FB2000-memory.dmp UPX -
Executes dropped EXE 1 IoCs
pid Process 1828 37e02c5103ce940a75439d07fd7f43e4945da7ffb17501b04a137a9969c858a1mgr.exe -
Loads dropped DLL 1 IoCs
pid Process 1828 37e02c5103ce940a75439d07fd7f43e4945da7ffb17501b04a137a9969c858a1mgr.exe -
resource yara_rule behavioral2/memory/1828-6-0x0000000000400000-0x0000000000432000-memory.dmp upx -
Program crash 1 IoCs
pid pid_target Process procid_target 2680 1828 WerFault.exe 85 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4648 wrote to memory of 1828 4648 37e02c5103ce940a75439d07fd7f43e4945da7ffb17501b04a137a9969c858a1.exe 85 PID 4648 wrote to memory of 1828 4648 37e02c5103ce940a75439d07fd7f43e4945da7ffb17501b04a137a9969c858a1.exe 85 PID 4648 wrote to memory of 1828 4648 37e02c5103ce940a75439d07fd7f43e4945da7ffb17501b04a137a9969c858a1.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\37e02c5103ce940a75439d07fd7f43e4945da7ffb17501b04a137a9969c858a1.exe"C:\Users\Admin\AppData\Local\Temp\37e02c5103ce940a75439d07fd7f43e4945da7ffb17501b04a137a9969c858a1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\37e02c5103ce940a75439d07fd7f43e4945da7ffb17501b04a137a9969c858a1mgr.exeC:\Users\Admin\AppData\Local\Temp\37e02c5103ce940a75439d07fd7f43e4945da7ffb17501b04a137a9969c858a1mgr.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1828 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 5203⤵
- Program crash
PID:2680
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1828 -ip 18281⤵PID:2528
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\37e02c5103ce940a75439d07fd7f43e4945da7ffb17501b04a137a9969c858a1mgr.exe
Filesize157KB
MD52ad7467eeceedd64b8bd4f6e04c3cd49
SHA1d6c5d9878dc49ae9b531d61283609e207154a921
SHA2562aab17b2f18dfb70cd737b27b1a438ad8878889070a6e025b3684483054f60c9
SHA5127a647d4a8de90d11cd5afb82ace8354869af0893f28afcf9491d1d4de421315d9a394a5d3462d88c0eff6c5a7a4ed41897d8d0498b59b4b7428ddbb61786be2a
-
Filesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219