Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 22:29
Static task
static1
Behavioral task
behavioral1
Sample
5c8fcc613c5aafd53123746456bc9726f3cd2c74e269f2f41df80aa6a87bf634.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5c8fcc613c5aafd53123746456bc9726f3cd2c74e269f2f41df80aa6a87bf634.exe
Resource
win10v2004-20240508-en
General
-
Target
5c8fcc613c5aafd53123746456bc9726f3cd2c74e269f2f41df80aa6a87bf634.exe
-
Size
418KB
-
MD5
d59eb8cb36a1fd4b177de0c5a7949feb
-
SHA1
df841a0c247c65a1bfc4b4fe6fea722b84045af2
-
SHA256
5c8fcc613c5aafd53123746456bc9726f3cd2c74e269f2f41df80aa6a87bf634
-
SHA512
c279252b2f3ed7ab26d03358d680ce999be792a31d15f45d0961ca3dbb9a06204cdec9a37b5a90ebf1f31c2ed533fd574d5554fc77cd9c391c059ba38a237009
-
SSDEEP
6144:a4kCzDW+q6MEp1JfTOOOW6tEbNM6gUzKuGHxLq+nbon6Xbqzvh4V1Jpnjjjjj:aX+q9WvfaqaHI5GPnbYEAv2Nnjjjjj
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 5 IoCs
resource yara_rule behavioral2/memory/940-6-0x0000000000400000-0x00000000004F8000-memory.dmp UPX behavioral2/memory/940-11-0x0000000000400000-0x00000000004F8000-memory.dmp UPX behavioral2/memory/5104-17-0x0000000000400000-0x00000000004F8000-memory.dmp UPX behavioral2/memory/5104-23-0x0000000000400000-0x00000000004F8000-memory.dmp UPX behavioral2/memory/5104-30-0x0000000000400000-0x00000000004F8000-memory.dmp UPX -
Deletes itself 1 IoCs
pid Process 5104 pJ01831KoMbF01831.exe -
Executes dropped EXE 1 IoCs
pid Process 5104 pJ01831KoMbF01831.exe -
resource yara_rule behavioral2/memory/940-6-0x0000000000400000-0x00000000004F8000-memory.dmp upx behavioral2/memory/940-11-0x0000000000400000-0x00000000004F8000-memory.dmp upx behavioral2/memory/5104-17-0x0000000000400000-0x00000000004F8000-memory.dmp upx behavioral2/memory/5104-23-0x0000000000400000-0x00000000004F8000-memory.dmp upx behavioral2/memory/5104-30-0x0000000000400000-0x00000000004F8000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pJ01831KoMbF01831 = "C:\\ProgramData\\pJ01831KoMbF01831\\pJ01831KoMbF01831.exe" pJ01831KoMbF01831.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 4180 940 WerFault.exe 81 4532 5104 WerFault.exe 88 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 940 5c8fcc613c5aafd53123746456bc9726f3cd2c74e269f2f41df80aa6a87bf634.exe 940 5c8fcc613c5aafd53123746456bc9726f3cd2c74e269f2f41df80aa6a87bf634.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 940 5c8fcc613c5aafd53123746456bc9726f3cd2c74e269f2f41df80aa6a87bf634.exe Token: SeDebugPrivilege 5104 pJ01831KoMbF01831.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5104 pJ01831KoMbF01831.exe 5104 pJ01831KoMbF01831.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 940 wrote to memory of 5104 940 5c8fcc613c5aafd53123746456bc9726f3cd2c74e269f2f41df80aa6a87bf634.exe 88 PID 940 wrote to memory of 5104 940 5c8fcc613c5aafd53123746456bc9726f3cd2c74e269f2f41df80aa6a87bf634.exe 88 PID 940 wrote to memory of 5104 940 5c8fcc613c5aafd53123746456bc9726f3cd2c74e269f2f41df80aa6a87bf634.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c8fcc613c5aafd53123746456bc9726f3cd2c74e269f2f41df80aa6a87bf634.exe"C:\Users\Admin\AppData\Local\Temp\5c8fcc613c5aafd53123746456bc9726f3cd2c74e269f2f41df80aa6a87bf634.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 7242⤵
- Program crash
PID:4180
-
-
C:\ProgramData\pJ01831KoMbF01831\pJ01831KoMbF01831.exe"C:\ProgramData\pJ01831KoMbF01831\pJ01831KoMbF01831.exe" "C:\Users\Admin\AppData\Local\Temp\5c8fcc613c5aafd53123746456bc9726f3cd2c74e269f2f41df80aa6a87bf634.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5104 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 7243⤵
- Program crash
PID:4532
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 940 -ip 9401⤵PID:4912
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5104 -ip 51041⤵PID:1264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
418KB
MD5fdd505bc89b87565b1b486729427393f
SHA1ad50e6b2fd556d6c0e3bc7165464f4543eafd84e
SHA256791af1e3a64877150f1bb93cddd0547a755dffa572cef18ee000056e531f4ca8
SHA51240e4181892b7ba08a27addf719ec916c96d9afe89cd1c0588ddc55a3a4f5260d5347ff8850b768adaf4e0198096dd1b3a6b1d7f6883f565ca0e2b3f878bc8337