Analysis
-
max time kernel
152s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 17:00
Behavioral task
behavioral1
Sample
ptu621.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
ptu621.exe
Resource
win10v2004-20240226-en
General
-
Target
ptu621.exe
-
Size
5.0MB
-
MD5
516e4e61cf92a3d6b17ad2c181c2a939
-
SHA1
3f3f81dea9779a5d9d8478b0386867ccbe17d450
-
SHA256
3cb1389aa245b496d15d20d25fcefa35f35f85744413205e90caa78f0805902c
-
SHA512
143e0372ca5ca9c7197d4de69f595fb5b13d517db424331737274b252f16f4cec7490956d08618fcd823f9a9b42e95a7f0439c01a032568722dc864f2b3df71e
-
SSDEEP
98304:RUxt0mBCcZbMMWl7ZSnSC/Ao4f2uZE+2N3wALB2QviKo8D5yEg9yUPvnoh8dKjn8:uEA7YURz4RZEL3Z2ElcTywrdKj7KNQ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ptu621Srv.exepid process 4780 ptu621Srv.exe -
Processes:
resource yara_rule behavioral2/memory/5112-0-0x0000000000400000-0x0000000000CA5000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\ptu621Srv.exe upx behavioral2/memory/4780-4-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/memory/4780-5-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/memory/5112-6-0x0000000000400000-0x0000000000CA5000-memory.dmp upx -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3120 4780 WerFault.exe ptu621Srv.exe 5116 5112 WerFault.exe ptu621.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
ptu621.exedescription pid process target process PID 5112 wrote to memory of 4780 5112 ptu621.exe ptu621Srv.exe PID 5112 wrote to memory of 4780 5112 ptu621.exe ptu621Srv.exe PID 5112 wrote to memory of 4780 5112 ptu621.exe ptu621Srv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ptu621.exe"C:\Users\Admin\AppData\Local\Temp\ptu621.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ptu621Srv.exeC:\Users\Admin\AppData\Local\Temp\ptu621Srv.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 2803⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 5602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4780 -ip 47801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 5112 -ip 51121⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ptu621Srv.exeFilesize
74KB
MD5cb458dd109a10f16c430dee34464cd8f
SHA11bc955db0463913cc7d0434c2318c9f2202240e0
SHA25621aa1977c0d7d0404f97515d87d6f26f3f2c2b01d054be6056d119d33d3856e3
SHA5125321f11d92150fdb07f94092fa97fe88bd45714237e4ba245b7f5fbfd4425857fa8d242858d4fd038d77ee7644d276dfb63b7403469ddaf1b53879f391c3f490
-
memory/4780-4-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4780-5-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/5112-0-0x0000000000400000-0x0000000000CA5000-memory.dmpFilesize
8.6MB
-
memory/5112-6-0x0000000000400000-0x0000000000CA5000-memory.dmpFilesize
8.6MB