0e76573ff9a22862523a8794f518c5a81595aa5e549dc408969487a25d826aeb

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e76573ff9a22862523a8794f518c5a81595aa5e549dc408969487a25d826aeb.exe
Size

659KB
MD5

5cc236c56b831cf0c8a72d961a065964
SHA1

3a07a5a9d37bc0ad2b155a1a2ad99acefaf9b02f
SHA256

0e76573ff9a22862523a8794f518c5a81595aa5e549dc408969487a25d826aeb
SHA512

335c0f9ce6094601c9f2babff2a60786191f2f70321d8782809a98b5e7dd4cda1fae18c011373f248cf4c14f221fca8e5c4919da8b5de9794d693d4b68e6fbfa
SSDEEP

12288:gYV6MorX7qzuC3QHO9FQVHPF51jgcQAMsh6hx28+60WYt39So0eUjZ3T6qNHLW:/BXu9HGaVHNrhy+/OV3NS

Score

9^/10

upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/864-0-0x00000000003C0000-0x0000000000537000-memory.dmp	UPX
behavioral2/memory/864-14-0x00000000003C0000-0x0000000000537000-memory.dmp	UPX

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/864-0-0x00000000003C0000-0x0000000000537000-memory.dmp	upx
behavioral2/memory/864-14-0x00000000003C0000-0x0000000000537000-memory.dmp	upx

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/864-0-0x00000000003C0000-0x0000000000537000-memory.dmp	autoit_exe
behavioral2/memory/864-14-0x00000000003C0000-0x0000000000537000-memory.dmp	autoit_exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1888 864 WerFault.exe 0e76573ff9a22862523a8794f518c5a81595aa5e549dc408969487a25d826aeb.exe

pid	pid_target	process	target process
1888	864	WerFault.exe	0e76573ff9a22862523a8794f518c5a81595aa5e549dc408969487a25d826aeb.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

0e76573ff9a22862523a8794f518c5a81595aa5e549dc408969487a25d826aeb.exe

pid	process
864	0e76573ff9a22862523a8794f518c5a81595aa5e549dc408969487a25d826aeb.exe
864	0e76573ff9a22862523a8794f518c5a81595aa5e549dc408969487a25d826aeb.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

0e76573ff9a22862523a8794f518c5a81595aa5e549dc408969487a25d826aeb.exe

pid	process
864	0e76573ff9a22862523a8794f518c5a81595aa5e549dc408969487a25d826aeb.exe
864	0e76573ff9a22862523a8794f518c5a81595aa5e549dc408969487a25d826aeb.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

0e76573ff9a22862523a8794f518c5a81595aa5e549dc408969487a25d826aeb.exe

pid	process
864	0e76573ff9a22862523a8794f518c5a81595aa5e549dc408969487a25d826aeb.exe
864	0e76573ff9a22862523a8794f518c5a81595aa5e549dc408969487a25d826aeb.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

0e76573ff9a22862523a8794f518c5a81595aa5e549dc408969487a25d826aeb.exe

description	pid	process	target process
PID 864 wrote to memory of 1276	864	0e76573ff9a22862523a8794f518c5a81595aa5e549dc408969487a25d826aeb.exe	svchost.exe
PID 864 wrote to memory of 1276	864	0e76573ff9a22862523a8794f518c5a81595aa5e549dc408969487a25d826aeb.exe	svchost.exe
PID 864 wrote to memory of 1276	864	0e76573ff9a22862523a8794f518c5a81595aa5e549dc408969487a25d826aeb.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\0e76573ff9a22862523a8794f518c5a81595aa5e549dc408969487a25d826aeb.exe
"C:\Users\Admin\AppData\Local\Temp\0e76573ff9a22862523a8794f518c5a81595aa5e549dc408969487a25d826aeb.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\0e76573ff9a22862523a8794f518c5a81595aa5e549dc408969487a25d826aeb.exe"
2⤵
PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 736
2⤵
- Program crash
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 864 -ip 864
1⤵
PID:2640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut3393.tmp

Filesize
264KB

MD5
71445340232a7a43811c0e992918c807

SHA1
536dbfec5d177b648afc908cb0948268bb9e1456

SHA256
1e47ca8c8013662c7314feca570998744f77b7fd5dfb51d3da4b35daa6f10ef0

SHA512
f4a3871ccefba39aff112de818fb16cf2510936dd1719fcc5ab473d409668b87a12595506fe98ab3c03cbe824d0763a03092d63e8f76905bece76bd2571751ed

Download Submit
memory/864-0-0x00000000003C0000-0x0000000000537000-memory.dmp

Filesize
1.5MB

Download
memory/864-13-0x0000000000DB0000-0x0000000000DB4000-memory.dmp

Filesize
16KB

Download
memory/864-14-0x00000000003C0000-0x0000000000537000-memory.dmp

Filesize
1.5MB

Download