7d69e0d82e74059115486fae5dd5ac6463c7fccd91dbbcaa9587117c7d201ddb

Resubmissions

22-04-2024 22:02

240422-1xtwbagh68 10

22-04-2024 19:25

240422-x42b7afa68 10

19-04-2024 03:02

240419-djmthsfh8w 10

Analysis

max time kernel
1466s
max time network
1500s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
22-04-2024 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe
Size

14.4MB
MD5

ecaa6f88c3b6594914a8ffde04fd5d84
SHA1

885e4370299d369f7285ba5f2c544cbcd70a5fd0
SHA256

11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432
SHA512

94712c9ceddc1e2abd7ec19dc39bf2cbea54d3430f66887e2e0861c2cdb4c4ee24c39d3140c9374e826049516b814c3fcfcf4c49402bc5c2335d87bc0ee67f83
SSDEEP

393216:hp8QGQCKH9iqYCfy8tW5MrYR0aioa4CMRmrrCZRBkyQzy:v8QGrK5GXR9ioaJMRmrrdysy

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

GUBootService.exe

pid process

4932 GUBootService.exe
Loads dropped DLL 1 IoCs

Processes:

Fahu.au3

pid process

240 Fahu.au3
Suspicious use of SetThreadContext 1 IoCs

Processes:

GUBootService.exe

description pid process target process

PID 4932 set thread context of 2160 4932 GUBootService.exe more.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

GUBootService.exemore.com

pid process

4932 GUBootService.exe
4932 GUBootService.exe
2160 more.com
2160 more.com
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

GUBootService.exemore.com

pid process

4932 GUBootService.exe
2160 more.com
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

GUBootService.exe

pid process

4932 GUBootService.exe

pid	process
4932	GUBootService.exe

pid	process
240	Fahu.au3

description	pid	process	target process
PID 4932 set thread context of 2160	4932	GUBootService.exe	more.com

pid	process
4932	GUBootService.exe
4932	GUBootService.exe
2160	more.com
2160	more.com

pid	process
4932	GUBootService.exe
2160	more.com

pid	process
4932	GUBootService.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exeGUBootService.exemore.com

description	pid	process	target process
PID 2704 wrote to memory of 4932	2704	11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe	GUBootService.exe
PID 2704 wrote to memory of 4932	2704	11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe	GUBootService.exe
PID 2704 wrote to memory of 4932	2704	11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe	GUBootService.exe
PID 4932 wrote to memory of 2160	4932	GUBootService.exe	more.com
PID 4932 wrote to memory of 2160	4932	GUBootService.exe	more.com
PID 4932 wrote to memory of 2160	4932	GUBootService.exe	more.com
PID 4932 wrote to memory of 2160	4932	GUBootService.exe	more.com
PID 2160 wrote to memory of 240	2160	more.com	Fahu.au3
PID 2160 wrote to memory of 240	2160	more.com	Fahu.au3
PID 2160 wrote to memory of 240	2160	more.com	Fahu.au3
PID 2160 wrote to memory of 240	2160	more.com	Fahu.au3

C:\Users\Admin\AppData\Local\Temp\11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe
"C:\Users\Admin\AppData\Local\Temp\11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2704

C:\Users\Admin\AppData\Local\Temp\GUBootService.exe
"C:\Users\Admin\AppData\Local\Temp\GUBootService.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2160

C:\Users\Admin\AppData\Local\Temp\Fahu.au3
C:\Users\Admin\AppData\Local\Temp\Fahu.au3
4⤵
- Loads dropped DLL
PID:240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\43f888

Filesize
1.8MB

MD5
cd1838cf69d2b756935dd4f5eebdb327

SHA1
7e927a1e0e8558b73b1811d052d755e3759f7893

SHA256
fb6c72547f3b34569b6b4624371c253325603412a3420db03d8ad5298094f65f

SHA512
f1784200aeae346155d839272acb351c3fac59d421cd53ed60fe5686164ec948e5f8f0c8d564dd69211c5bd12bcf42f22a32a992d931c0efa2c6e894162fe79c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fahu.au3

Filesize
925KB

MD5
0162a97ed477353bc35776a7addffd5c

SHA1
10db8fe20bbce0f10517c510ec73532cf6feb227

SHA256
15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571

SHA512
9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUBootService.exe

Filesize
11.5MB

MD5
4a053e8f03eba1dd6fcd28aeea8dc05f

SHA1
080d5f4b1c1e892658672aded073b70dfd14f7de

SHA256
6a5cc7a1803b002e91129d9317fa8f2d79fc07775ded7163c38d41569f8068ed

SHA512
32e3cc6fbb5db6b38c5aa18b3bb077c9e03e218d3698d6a30a6e62bfcba2692d4b625b286df0604637a5a7488d8215406c46f337f8ca908081b300a58945de3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb71fc52

Filesize
2.0MB

MD5
d2235aeb97c1be6fbdd13517579bcbf9

SHA1
335abcda67ceab10c96bf4855642e031d65aa282

SHA256
fa699bcb14ae008a91105ab5ba25744e1f16420b95c628ce21329b285cee511a

SHA512
e4fcedf30de47a134d77ebd245c1e4036c8cdffdea84a44dad982e5c62346fc8ff304266e8b62d190159c5c6619d1bf5dc1ff8d70e73f78d56015d6f661c2041

Download Submit
memory/240-133-0x0000000000D60000-0x0000000000DAD000-memory.dmp

Filesize
308KB

Download
memory/240-132-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/240-131-0x00000000004E0000-0x00000000005CB000-memory.dmp

Filesize
940KB

Download
memory/240-129-0x0000000000D60000-0x0000000000DAD000-memory.dmp

Filesize
308KB

Download
memory/240-128-0x00007FFABE060000-0x00007FFABE269000-memory.dmp

Filesize
2.0MB

Download
memory/2160-126-0x0000000073C00000-0x0000000073D7D000-memory.dmp

Filesize
1.5MB

Download
memory/2160-122-0x0000000073C00000-0x0000000073D7D000-memory.dmp

Filesize
1.5MB

Download
memory/2160-124-0x0000000073C00000-0x0000000073D7D000-memory.dmp

Filesize
1.5MB

Download
memory/2160-119-0x00007FFABE060000-0x00007FFABE269000-memory.dmp

Filesize
2.0MB

Download
memory/2160-117-0x0000000073C00000-0x0000000073D7D000-memory.dmp

Filesize
1.5MB

Download
memory/4932-115-0x0000000073C00000-0x0000000073D7D000-memory.dmp

Filesize
1.5MB

Download
memory/4932-114-0x0000000073C00000-0x0000000073D7D000-memory.dmp

Filesize
1.5MB

Download
memory/4932-113-0x00007FFABE060000-0x00007FFABE269000-memory.dmp

Filesize
2.0MB

Download
memory/4932-112-0x0000000073C00000-0x0000000073D7D000-memory.dmp

Filesize
1.5MB

Download
memory/4932-106-0x0000000000400000-0x000000000081A000-memory.dmp

Filesize
4.1MB

Download