7d69e0d82e74059115486fae5dd5ac6463c7fccd91dbbcaa9587117c7d201ddb

Resubmissions

22-04-2024 22:02

240422-1xtwbagh68 10

22-04-2024 19:25

240422-x42b7afa68 10

19-04-2024 03:02

240419-djmthsfh8w 10

Analysis

max time kernel
143s
max time network
131s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 03:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe
Size

14.4MB
MD5

ecaa6f88c3b6594914a8ffde04fd5d84
SHA1

885e4370299d369f7285ba5f2c544cbcd70a5fd0
SHA256

11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432
SHA512

94712c9ceddc1e2abd7ec19dc39bf2cbea54d3430f66887e2e0861c2cdb4c4ee24c39d3140c9374e826049516b814c3fcfcf4c49402bc5c2335d87bc0ee67f83
SSDEEP

393216:hp8QGQCKH9iqYCfy8tW5MrYR0aioa4CMRmrrCZRBkyQzy:v8QGrK5GXR9ioaJMRmrrdysy

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

GUBootService.exe

pid process

2900 GUBootService.exe

pid	process
2900	GUBootService.exe

Loads dropped DLL 9 IoCs

Processes:

11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exemore.comFahu.au3WerFault.exe

pid	process
2960	11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe
2960	11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe
1428	more.com
1936	Fahu.au3
1084	WerFault.exe
1084	WerFault.exe
1084	WerFault.exe
1084	WerFault.exe
1084	WerFault.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

GUBootService.exe

description pid process target process

PID 2900 set thread context of 1428 2900 GUBootService.exe more.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1084 1936 WerFault.exe Fahu.au3
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

GUBootService.exemore.com

pid process

2900 GUBootService.exe
2900 GUBootService.exe
1428 more.com
1428 more.com
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

GUBootService.exemore.com

pid process

2900 GUBootService.exe
1428 more.com
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

GUBootService.exe

pid process

2900 GUBootService.exe

description	pid	process	target process
PID 2900 set thread context of 1428	2900	GUBootService.exe	more.com

pid	pid_target	process	target process
1084	1936	WerFault.exe	Fahu.au3

pid	process
2900	GUBootService.exe
2900	GUBootService.exe
1428	more.com
1428	more.com

pid	process
2900	GUBootService.exe
1428	more.com

pid	process
2900	GUBootService.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exeGUBootService.exemore.comFahu.au3

description	pid	process	target process
PID 2960 wrote to memory of 2900	2960	11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe	GUBootService.exe
PID 2960 wrote to memory of 2900	2960	11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe	GUBootService.exe
PID 2960 wrote to memory of 2900	2960	11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe	GUBootService.exe
PID 2960 wrote to memory of 2900	2960	11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe	GUBootService.exe
PID 2900 wrote to memory of 1428	2900	GUBootService.exe	more.com
PID 2900 wrote to memory of 1428	2900	GUBootService.exe	more.com
PID 2900 wrote to memory of 1428	2900	GUBootService.exe	more.com
PID 2900 wrote to memory of 1428	2900	GUBootService.exe	more.com
PID 2900 wrote to memory of 1428	2900	GUBootService.exe	more.com
PID 1428 wrote to memory of 1936	1428	more.com	Fahu.au3
PID 1428 wrote to memory of 1936	1428	more.com	Fahu.au3
PID 1428 wrote to memory of 1936	1428	more.com	Fahu.au3
PID 1428 wrote to memory of 1936	1428	more.com	Fahu.au3
PID 1428 wrote to memory of 1936	1428	more.com	Fahu.au3
PID 1936 wrote to memory of 1084	1936	Fahu.au3	WerFault.exe
PID 1936 wrote to memory of 1084	1936	Fahu.au3	WerFault.exe
PID 1936 wrote to memory of 1084	1936	Fahu.au3	WerFault.exe
PID 1936 wrote to memory of 1084	1936	Fahu.au3	WerFault.exe
PID 1428 wrote to memory of 1936	1428	more.com	Fahu.au3

C:\Users\Admin\AppData\Local\Temp\11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe
"C:\Users\Admin\AppData\Local\Temp\11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960

C:\Users\Admin\AppData\Local\Temp\GUBootService.exe
"C:\Users\Admin\AppData\Local\Temp\GUBootService.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1428

C:\Users\Admin\AppData\Local\Temp\Fahu.au3
C:\Users\Admin\AppData\Local\Temp\Fahu.au3
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 252
5⤵
- Loads dropped DLL
- Program crash
PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e11b3651

Filesize
2.0MB

MD5
d2235aeb97c1be6fbdd13517579bcbf9

SHA1
335abcda67ceab10c96bf4855642e031d65aa282

SHA256
fa699bcb14ae008a91105ab5ba25744e1f16420b95c628ce21329b285cee511a

SHA512
e4fcedf30de47a134d77ebd245c1e4036c8cdffdea84a44dad982e5c62346fc8ff304266e8b62d190159c5c6619d1bf5dc1ff8d70e73f78d56015d6f661c2041

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5153356

Filesize
1.8MB

MD5
4f0b38d21f324e0d6aad2f08e6ffc9f0

SHA1
fa529c21b07dd81f03dd29aaf50bbbc91bdf6942

SHA256
b0dd13baf1f2713ea4f6cb43ff4b00aa7f554de96c3681db33e072ad8ad0761b

SHA512
03e92f0686ab04a84863c0124b786c8e41407a0f4f40a2396809fc259245ee469b62c6e3dbdf3d40fb0448820f7806a91f7b86b13641b4d4390da9318b2b0c81

Download Submit
\Users\Admin\AppData\Local\Temp\Fahu.au3

Filesize
925KB

MD5
0162a97ed477353bc35776a7addffd5c

SHA1
10db8fe20bbce0f10517c510ec73532cf6feb227

SHA256
15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571

SHA512
9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

Download Submit
\Users\Admin\AppData\Local\Temp\GUBootService.exe

Filesize
11.5MB

MD5
4a053e8f03eba1dd6fcd28aeea8dc05f

SHA1
080d5f4b1c1e892658672aded073b70dfd14f7de

SHA256
6a5cc7a1803b002e91129d9317fa8f2d79fc07775ded7163c38d41569f8068ed

SHA512
32e3cc6fbb5db6b38c5aa18b3bb077c9e03e218d3698d6a30a6e62bfcba2692d4b625b286df0604637a5a7488d8215406c46f337f8ca908081b300a58945de3d

Download Submit
memory/1428-118-0x00000000778D0000-0x0000000077A79000-memory.dmp

Filesize
1.7MB

Download
memory/1428-126-0x0000000074850000-0x00000000749C4000-memory.dmp

Filesize
1.5MB

Download
memory/1428-121-0x0000000074850000-0x00000000749C4000-memory.dmp

Filesize
1.5MB

Download
memory/1428-120-0x0000000074850000-0x00000000749C4000-memory.dmp

Filesize
1.5MB

Download
memory/1428-116-0x0000000074850000-0x00000000749C4000-memory.dmp

Filesize
1.5MB

Download
memory/1936-129-0x00000000000C0000-0x000000000010D000-memory.dmp

Filesize
308KB

Download
memory/1936-128-0x00000000778D0000-0x0000000077A79000-memory.dmp

Filesize
1.7MB

Download
memory/1936-132-0x0000000000DD0000-0x0000000000EBB000-memory.dmp

Filesize
940KB

Download
memory/1936-133-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1936-139-0x00000000000C0000-0x000000000010D000-memory.dmp

Filesize
308KB

Download
memory/1936-140-0x00000000000C0000-0x000000000010D000-memory.dmp

Filesize
308KB

Download
memory/2900-114-0x0000000074850000-0x00000000749C4000-memory.dmp

Filesize
1.5MB

Download
memory/2900-113-0x0000000074850000-0x00000000749C4000-memory.dmp

Filesize
1.5MB

Download
memory/2900-112-0x00000000778D0000-0x0000000077A79000-memory.dmp

Filesize
1.7MB

Download
memory/2900-111-0x0000000074850000-0x00000000749C4000-memory.dmp

Filesize
1.5MB

Download
memory/2900-104-0x0000000000400000-0x000000000081A000-memory.dmp

Filesize
4.1MB

Download