c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929

Analysis

max time kernel
194s
max time network
255s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09-04-2024 13:52

Target

wininit (1).exe
Size

1.3MB
MD5

6b7314e8a04ad8436c3aff06f3918ea6
SHA1

61c5aca05c76396e70054b732d9afb7d4a5e293d
SHA256

c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929
SHA512

00b5c837c36cb44d5b1a7c724746daf85b4a1d4b89d55a2d81e8999ed34035baa84a8f9fc976704ec92afe52a316c09eb7b7d012d66d8d5eea284d31d5974baf
SSDEEP

24576:LAHnh+eWsN3skA4RV1Hom2KXMmHaUCTOhtduicYukHxavC55:mh+ZkldoPK8YaUC6h/qg

Score

7^/10

Drops startup file 1 IoCs

Processes:

excel.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\excel.vbs excel.exe
Executes dropped EXE 1 IoCs

Processes:

excel.exe

pid process

3500 excel.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\excel.vbs	excel.exe

pid	process
3500	excel.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\directory\excel.exe	autoit_exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4588 3500 WerFault.exe excel.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

excel.exe

pid process

3500 excel.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

wininit (1).exeexcel.exe

pid process

4684 wininit (1).exe
4684 wininit (1).exe
3500 excel.exe
3500 excel.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

wininit (1).exeexcel.exe

pid process

4684 wininit (1).exe
4684 wininit (1).exe
3500 excel.exe
3500 excel.exe

pid	pid_target	process	target process
4588	3500	WerFault.exe	excel.exe

pid	process
3500	excel.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

wininit (1).exeexcel.exe

description	pid	process	target process
PID 4684 wrote to memory of 3500	4684	wininit (1).exe	excel.exe
PID 4684 wrote to memory of 3500	4684	wininit (1).exe	excel.exe
PID 4684 wrote to memory of 3500	4684	wininit (1).exe	excel.exe
PID 3500 wrote to memory of 1420	3500	excel.exe	svchost.exe
PID 3500 wrote to memory of 1420	3500	excel.exe	svchost.exe
PID 3500 wrote to memory of 1420	3500	excel.exe	svchost.exe

C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\wininit (1).exe"
3⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 720
3⤵
- Program crash
PID:4588

C:\Users\Admin\AppData\Local\Temp\Thebit

Filesize
483KB

MD5
a04675531940882479c988422f627c21

SHA1
48bb45a49c1600e8f16ffe612170787f841cd969

SHA256
011bee0b69f6d996fd2ddced3a417739375f6a3909ff46d23bcca2f0d14680d5

SHA512
f8f2e1c49d7a7153a8522488a259ff37927c6c133b2030fdf70728aa034b02f2fd704d2bba7ad6660eb0f6b3696108a26df1c479723330f49ea0e462c13ba24c

Download Submit
C:\Users\Admin\AppData\Local\Temp\saccule

Filesize
29KB

MD5
7b4ee3164750a624febb01f867bdb208

SHA1
2c68f3bc9f02ef7229da72935b33053885ad19e0

SHA256
fc648d1008816e63cb562eec07b7ae56ab4c5be06da13282a213f9c9e6f3c2a5

SHA512
aa088d535f08520ba2299da40c2e5c6ee1375eb67ac9f2438f431bda1312d024e38793c1b074f08b0accf8bf89db630b46de5b9883036b84ab50b473bbc1dc41

Download Submit
C:\Users\Admin\AppData\Local\directory\excel.exe

Filesize
101.3MB

MD5
b782fcb7b21966d286adb631ce53d10c

SHA1
af76491cc33150896ca45d1a86cc6d37c6c538f6

SHA256
c812d845a97b66335655d6eaa14abb172d26c7dcbca2630e62d6f8ddddcb77f8

SHA512
60140a0f4a307cdc16ea28eade599d4cceb74993423f4258094a0a1025642e7af42dff28ceeca49257c19429b72ba4f9debf4aa50ef2e2213e0111c8fc38c2f6

Download Submit
memory/4684-10-0x0000000000A50000-0x0000000000A54000-memory.dmp

Filesize
16KB

Download