087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3

Analysis

max time kernel
79s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.exe
Size

7.9MB
MD5

9c99b106c17bf79e0bea2d277b5a58f7
SHA1

61e0d359386ca6e53cb3342db08c3b129a420efd
SHA256

087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3
SHA512

e59da36c59a75b9904ec3a35947f690bd37ed452ef02082504f1f16465800051b9fbcfe7d180130bd1768ea7d85cff8264def467b0e5c74f3b9773b990812654
SSDEEP

196608:2QUsGt/hlfOzFewvf1RVuI/XZP1JuAyIFk+0X29fnDTRZ:XGnfOzPV3uIfZtJPBf0X29bTRZ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
776	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp
1528	unzip.exe
4688	unzip.exe

Loads dropped DLL 3 IoCs

pid	Process
776	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp
776	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp
776	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1584	776	WerFault.exe	82

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
776	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp
776	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 776	2596	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.exe	82
PID 2596 wrote to memory of 776	2596	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.exe	82
PID 2596 wrote to memory of 776	2596	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.exe	82
PID 776 wrote to memory of 1528	776	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp	85
PID 776 wrote to memory of 1528	776	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp	85
PID 776 wrote to memory of 1528	776	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp	85
PID 776 wrote to memory of 4688	776	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp	87
PID 776 wrote to memory of 4688	776	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp	87
PID 776 wrote to memory of 4688	776	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp	87

C:\Users\Admin\AppData\Local\Temp\087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.exe
"C:\Users\Admin\AppData\Local\Temp\087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Users\Admin\AppData\Local\Temp\is-OAKS5.tmp\087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-OAKS5.tmp\087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp" /SL5="$7006C,7384214,1089536,C:\Users\Admin\AppData\Local\Temp\087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\Users\Admin\AppData\Local\Temp\is-AOBO7.tmp\unzip.exe
    "C:\Users\Admin\AppData\Local\Temp\is-AOBO7.tmp\unzip.exe" -o C:\Users\Admin\AppData\Local\Temp\is-AOBO7.tmp\view.zip -d C:\Users\Admin\AppData\Local\Temp\
    3⤵
    - Executes dropped EXE
    PID:1528
- - C:\Users\Admin\AppData\Local\Temp\is-AOBO7.tmp\unzip.exe
    "C:\Users\Admin\AppData\Local\Temp\is-AOBO7.tmp\unzip.exe" -o C:\Users\Admin\AppData\Local\Temp\is-AOBO7.tmp\exe.zip -d C:\Users\Admin\AppData\Local\Temp\
    3⤵
    - Executes dropped EXE
    PID:4688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 1828
    3⤵
    - Program crash
    PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 776 -ip 776
1⤵
PID:824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install\info.xml

Filesize
2KB

MD5
681c8c4d6692da490b0e493c2502fade

SHA1
8dcf7e265ff7fd9acb97d76f8eac0a1933c0a55a

SHA256
b1f485180b515fd79bb6c07dc77d4366f2b1d09e9426771589cb1bc05d6e7999

SHA512
0d1d80419155748eb5e11a5ea7e0a87ff3eb4b2915de93bf4b6dac78410eb76139355ead447c3e798faae15ca7f50aaa2b707d303b01528050c1e45dc98b4479

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AOBO7.tmp\ewb.dll

Filesize
1.4MB

MD5
9a0329ad9e2dd88a0aacbd8898a4c29b

SHA1
24a6a75c7c1ce8548ab2ccf9eaf175d5621d66c4

SHA256
dc8621a7ca55e139602b5a0b4544c0189853717c8d73eef12700cc1439e38a14

SHA512
5aaef9c5899e71920cd18b13b6155ef6430a624aae6fbf2830ce1069eb5e77424f836ac2838b5d4d54d5cbe8e7555e21bff817f366fb0f4d59034ef1c4f8bc68

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AOBO7.tmp\exe.zip

Filesize
2.6MB

MD5
2af16d70186906d29f4551f0b73a5dad

SHA1
0d87e798c08858801abef135d2be378247637d5c

SHA256
c71a3980755aa1e65c4291eec55c48a928789d50d4d12a6721dc4499692905c3

SHA512
4282d70dd2d007a0b980ca8d792b9d1870c80969aa4ad06e8d160fc7c1554750ece56298288cb6efab28d3eccf844a906ce57009f6256eee6bfe535e7d81aa61

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AOBO7.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AOBO7.tmp\jquery.min.js

Filesize
90KB

MD5
8b057f40439a72781f73283c16d305ce

SHA1
b6fe8c7431a5f54d3df475c252ef268fd411ec08

SHA256
c7363832ac7f22d24a42dc1856365688a42fc7cbc37c76d1142f64921f2568bf

SHA512
90a2ac43e6ca6b39c15c33a5174ad3f210c21a4a7200308248aa9b59a3ea71cb72339a6431ae6b72e1ee4bba458e9fc33ea21f1fb269d6d4b0fe4c9f845f875b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AOBO7.tmp\start.htm

Filesize
4KB

MD5
f501eeaed481413924e104a9ecb52f60

SHA1
3bf5cd9416079cca399cdb56ca333839dcdb135f

SHA256
464285fb17139b17f559dc53a4b837b3e2327c4aa89c7952e207b36ecae739b9

SHA512
9675486ca4df32c2a8fec4f03d61af6f3bfd2f5b6c2c20271d375c29e292dfc7b9c03effe6e4d49cb3dc5f792b3a5377dc72e217726f0ca11d0667358443e7a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AOBO7.tmp\unzip.exe

Filesize
164KB

MD5
75375c22c72f1beb76bea39c22a1ed68

SHA1
e1652b058195db3f5f754b7ab430652ae04a50b8

SHA256
8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

SHA512
1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AOBO7.tmp\view.zip

Filesize
153KB

MD5
40cde179b0be44d921d7978181dc860c

SHA1
ebfbd56f571599c81a5db82f0d2c4839c2bc707b

SHA256
0953f102fb06e53e169938f49dde5075c48176797c95a44cda45b748c573d90c

SHA512
047c7a34d6c9d63c5f13f509fff84a15d5b06e08becfc82d1e870ddfebd0ad9c2dd986fd0816c51d62a11de4edd8da41c3c51e51662a4747832955bb11c2494b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OAKS5.tmp\087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp

Filesize
2.8MB

MD5
3aa1f23d37fbe8294e60758160e07922

SHA1
29910070973b20b31e28b71d8f344be68d42ca18

SHA256
6b16d8c13c02faa8dd4ec0f7b4db2ab5cd7652a88e89b86ecd63b010652dfe03

SHA512
e65aee6f12ab5315fe08903ef1245435eab823b1e37b6c30bab95fb71a46e7ed117c00552016f89263262e0e06660f267e36767e6f0bc8d8df2db1be645c0348

Download Submit
memory/776-12-0x0000000003730000-0x0000000003745000-memory.dmp

Filesize
84KB

Download
memory/776-6-0x0000000000400000-0x00000000006D3000-memory.dmp

Filesize
2.8MB

Download
memory/776-71-0x0000000003730000-0x0000000003745000-memory.dmp

Filesize
84KB

Download
memory/776-72-0x0000000000400000-0x00000000006D3000-memory.dmp

Filesize
2.8MB

Download
memory/2596-0-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2596-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/2596-73-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download