d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee

Resubmissions

22/09/2021, 14:12

210922-rh4yasfecj 10

Analysis

max time kernel
1193s
max time network
1202s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/04/2024, 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
Size

434KB
MD5

abac8b5fb6a305939c7ac38ea06666bd
SHA1

b42bbb582a8bbf08e865e5181dba0f67c659763e
SHA256

d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee
SHA512

287e06f2ba0a071fb4cb0a62f127cd38c47225d0808fb685773eeb132bb9d7de06a401bab7d86714785cee04b27c40e93eeae7ade2eab1f5d200188b477671da
SSDEEP

12288:rXPcLcbGfVylwG/ZDCK/ScBXo8TsyMkKMY8m7WOK95OTTsx/SA/WegYfdNbrqnuw:rXh6XcBXo8TsL8Y8m4OTTySA/DrfdNbS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2400	GetX64BTIT.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4908	3176	WerFault.exe	91

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 2400	3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe	92
PID 3176 wrote to memory of 2400	3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe	92
PID 3176 wrote to memory of 1756	3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe	78
PID 3176 wrote to memory of 824	3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe	79
PID 3176 wrote to memory of 3996	3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe	80
PID 3176 wrote to memory of 2848	3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe	81
PID 3176 wrote to memory of 1700	3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe	82
PID 3176 wrote to memory of 4260	3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe	84
PID 3176 wrote to memory of 5048	3176	d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe	85
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104
PID 1756 wrote to memory of 3740	1756	msedge.exe	104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f0,0x7ffece862e98,0x7ffece862ea4,0x7ffece862eb0
  2⤵
  PID:824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2400 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:2
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3276 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:3
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3380 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5288 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5500 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3552 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:3
  2⤵
  PID:988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3648 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:2400

C:\Users\Admin\AppData\Local\Temp\d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe
"C:\Users\Admin\AppData\Local\Temp\d7a6495589f3f791fe1a074c64922c17979229a79e5f0a57046254d9fd712eee.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
  "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 692
  2⤵
  - Program crash
  PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3176 -ip 3176
1⤵
PID:2128

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
420d5c440cd2857e118af286dfc429fb

SHA1
b428ec5c14085140f6e850df6af84bec18da28dc

SHA256
28fd178ce4b5dd6e4b567c294e13e3c5f012f5ac81c8e92d80b09fa0886d4b09

SHA512
630c097d7c1f89271a278089201600aef27e9b3fd3a563f2d937548bacc7de0f54566a799642fe2fe466f934af198f7786c256516e03968a171c07429f0b1458

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
de6422c1988e02298accf223d898e958

SHA1
5f0a49eafb71a054e8a8613a6eeff10e422a5756

SHA256
e7118fd5d86617e46a7df14475f53b38679e6a8ba6832b50d5b87852689ecd98

SHA512
e00b6ddd10f65c8e52b43f858644d538f5a928743a93d78c290aa72b7c8903e15d1dd83448e4b02899bc2d986474262edb66bddd659171d0dc3ae1b54f0bf481

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
46KB

MD5
b9600bb996e9a161bb7cc62db5adb286

SHA1
3c9f938ab6c04490f42f504427e9d6981250f904

SHA256
3b9260ebd5d260b0c8b71b52da061ac384fd1a9f5b2a8d3229d9f34dcbe68c70

SHA512
894e4eae80a81ceef247adbfbae73c994384fb83c2de578f1714911f151b43c93159a3a929795d95fa67721ab50a43898b25b7a6c569ff4199a4afd128114fec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\a8c76725-fc6e-4084-8954-7c2ba936a035.tmp

Filesize
36KB

MD5
6e1cc8de752d1d1bfb20e4f69efe9dea

SHA1
e884e39b1229084d74d2b10d12b4ec0286683805

SHA256
1bba9e6f66a5db9e54c1623c2f48994bf4b56a407db2f83644d3aad1022cf3a2

SHA512
43695be46f6111ac0d110f5cb41523ac295d89a50eddc3b7b3069ffd8629038ae71f7b0af528027c3c50f8d40f607a93029355eb08623d5562c255aa2d78791d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt

Filesize
28B

MD5
2b9f2aee997e0651203d77fc92a18242

SHA1
b59da44ec1820348ef0822cf8e7a51754a9aa8b7

SHA256
c1128af16d7dc51f0f4a7c0be5bcd45db7c987b579e18f1bb7ed85fd8661b0aa

SHA512
f5ea16b0244d8cf698d0b7c5587bb17e084c501f04eaef70e32957f4ace375cc15eef6329af7adf4e370dfbcd80e6d22710ea52c6cf5e4e8e81cee5344c61cc0

Download Submit