Analysis Overview
SHA256
39af1ce83c85e15f167cdef74aa9e23af9fb2942561b16491d23bc6044efe0b6
Threat Level: Likely malicious
The file 39af1ce83c85e15f167cdef74aa9e23af9fb2942561b16491d23bc6044efe0b6.exe was found to be: Likely malicious.
Malicious Activity Summary
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Writes to the Master Boot Record (MBR)
Unsigned PE
Program crash
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 01:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 01:23
Reported
2024-05-09 01:26
Platform
win7-20240221-en
Max time kernel
140s
Max time network
121s
Command Line
Signatures
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\AppData\Local\Temp\39af1ce83c85e15f167cdef74aa9e23af9fb2942561b16491d23bc6044efe0b6.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\39af1ce83c85e15f167cdef74aa9e23af9fb2942561b16491d23bc6044efe0b6.exe
"C:\Users\Admin\AppData\Local\Temp\39af1ce83c85e15f167cdef74aa9e23af9fb2942561b16491d23bc6044efe0b6.exe"
Network
Files
memory/664-0-0x0000000000230000-0x0000000000231000-memory.dmp
memory/664-1-0x0000000003030000-0x00000000030B0000-memory.dmp
memory/664-2-0x0000000000400000-0x000000000046F000-memory.dmp
memory/664-3-0x0000000000400000-0x00000000004EE000-memory.dmp
memory/664-4-0x0000000000400000-0x00000000004EE000-memory.dmp
memory/664-6-0x0000000000230000-0x0000000000231000-memory.dmp
memory/664-7-0x0000000000400000-0x000000000046F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 01:23
Reported
2024-05-09 01:26
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\AppData\Local\Temp\39af1ce83c85e15f167cdef74aa9e23af9fb2942561b16491d23bc6044efe0b6.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\39af1ce83c85e15f167cdef74aa9e23af9fb2942561b16491d23bc6044efe0b6.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\39af1ce83c85e15f167cdef74aa9e23af9fb2942561b16491d23bc6044efe0b6.exe
"C:\Users\Admin\AppData\Local\Temp\39af1ce83c85e15f167cdef74aa9e23af9fb2942561b16491d23bc6044efe0b6.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2044 -ip 2044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 700
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.201.50.20.in-addr.arpa | udp |
Files
memory/2044-0-0x00000000006A0000-0x00000000006A1000-memory.dmp
memory/2044-1-0x0000000002380000-0x0000000002400000-memory.dmp
memory/2044-2-0x0000000000400000-0x000000000046F000-memory.dmp
memory/2044-3-0x0000000000400000-0x00000000004EE000-memory.dmp
memory/2044-4-0x0000000000400000-0x00000000004EE000-memory.dmp
memory/2044-7-0x0000000000400000-0x000000000046F000-memory.dmp