e4800fae7f1cd28309b163771c9016db5410d49194a5f5adc3318000563db2e6

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30-03-2024 10:08

Target

Proforma,jpg.exe
Size

305KB
MD5

8ee039098b76daabd526bde87ca0a851
SHA1

072dce9501058dce29e7d737b8e6789afe9edbf5
SHA256

9ffaac05d6fa9eaaafbeefc070c2d520e6050add802cf5d44d281d3c40505d5c
SHA512

3ae9a722b2fa53a5d3f4c82e1bc554ad939f8d23972642b36f5212779d49a8bd242a15604a13f0f9dfa280524793674692214d67595cc01927f682b313328b78
SSDEEP

6144:F8LxBsySugYtXL32VEcFaqilZHWS1OUM1GS27/H7FPG2HNHhB:/PVYL5lZHxuAS2bH0GVj

Score

7^/10

Loads dropped DLL 1 IoCs

Processes:

Proforma,jpg.exe

pid process

5004 Proforma,jpg.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2788 5004 WerFault.exe Proforma,jpg.exe

pid	process
5004	Proforma,jpg.exe

pid	pid_target	process	target process
2788	5004	WerFault.exe	Proforma,jpg.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Proforma,jpg.exe

description	pid	process	target process
PID 5004 wrote to memory of 3884	5004	Proforma,jpg.exe	Proforma,jpg.exe
PID 5004 wrote to memory of 3884	5004	Proforma,jpg.exe	Proforma,jpg.exe
PID 5004 wrote to memory of 3884	5004	Proforma,jpg.exe	Proforma,jpg.exe

C:\Users\Admin\AppData\Local\Temp\Proforma,jpg.exe
"C:\Users\Admin\AppData\Local\Temp\Proforma,jpg.exe"
2⤵
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 1036
2⤵
- Program crash
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5004 -ip 5004
1⤵
PID:64

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\nsp45D4.tmp\ivhbtroxhv.dll

Filesize
22KB

MD5
a194ad7a3fe74fb6a1749a0d72bdaa79

SHA1
6718940dff7d9c85fa050d675e5fe7f3de78d29e

SHA256
37d8436aa414c5df4340f06fdeac9bb1ba1ec2a8a48918d6d96948e9ba1d862d

SHA512
109ddbb133b7c7fd08bc2c5ac794c10256b5b3030a9ce4c9fe6029e92d94959be05730e3fe039627a0eed6063a18ff5d863bc30e83cb5d8f5146820b7729b68f

Download Submit
memory/5004-6-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/5004-9-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download