7c951b9e67eecab3f17784c87cad4d4db86eff91a5c464535ac39beb333c1ded

Resubmissions

11/06/2024, 14:30

240611-rvnf3s1bjr 4

11/06/2024, 14:07

240611-rffspazbng 4

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
11/06/2024, 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vaultFile12434153038098896463.exe
Size

87.1MB
MD5

0f14001e7b7c9a24c46296e25074b39a
SHA1

b10d1a303d0e9f481fd9bb675122c0dcd24f33d9
SHA256

3a3883dcdca19be0d1132e943682aece990494ce58e40d679b2a0b9cde481eff
SHA512

7ecd5aa169c3bc17f74b49951e201cf14cf115994b1e763cc02cf71080929696807bde45c583c355a41670a0a977a3078b251a1a783e6a5a3e458f49131119f1
SSDEEP

1572864:Dl7/l8tMEFBMv19JNKgUkoMm+q5s0fpbVMsINs03/OpZUuSASFe4bt6l4xnqKsm6:Dl7/zEcv19Jd/Dq5soVM5a0POpquSzFE

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1664	vaultFile12434153038098896463.tmp

Loads dropped DLL 12 IoCs

pid	Process
1540	vaultFile12434153038098896463.exe
1664	vaultFile12434153038098896463.tmp
1664	vaultFile12434153038098896463.tmp
1664	vaultFile12434153038098896463.tmp
1664	vaultFile12434153038098896463.tmp
1664	vaultFile12434153038098896463.tmp
1664	vaultFile12434153038098896463.tmp
2568	WerFault.exe
2568	WerFault.exe
2568	WerFault.exe
2568	WerFault.exe
2568	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2568	1664	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1664	vaultFile12434153038098896463.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1664	vaultFile12434153038098896463.tmp
1664	vaultFile12434153038098896463.tmp

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 1664	1540	vaultFile12434153038098896463.exe	28
PID 1540 wrote to memory of 1664	1540	vaultFile12434153038098896463.exe	28
PID 1540 wrote to memory of 1664	1540	vaultFile12434153038098896463.exe	28
PID 1540 wrote to memory of 1664	1540	vaultFile12434153038098896463.exe	28
PID 1540 wrote to memory of 1664	1540	vaultFile12434153038098896463.exe	28
PID 1540 wrote to memory of 1664	1540	vaultFile12434153038098896463.exe	28
PID 1540 wrote to memory of 1664	1540	vaultFile12434153038098896463.exe	28
PID 1664 wrote to memory of 2568	1664	vaultFile12434153038098896463.tmp	29
PID 1664 wrote to memory of 2568	1664	vaultFile12434153038098896463.tmp	29
PID 1664 wrote to memory of 2568	1664	vaultFile12434153038098896463.tmp	29
PID 1664 wrote to memory of 2568	1664	vaultFile12434153038098896463.tmp	29

C:\Users\Admin\AppData\Local\Temp\vaultFile12434153038098896463.exe
"C:\Users\Admin\AppData\Local\Temp\vaultFile12434153038098896463.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Users\Admin\AppData\Local\Temp\is-76G03.tmp\vaultFile12434153038098896463.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-76G03.tmp\vaultFile12434153038098896463.tmp" /SL5="$400D8,90456719,806400,C:\Users\Admin\AppData\Local\Temp\vaultFile12434153038098896463.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 1008
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2568

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-76G03.tmp\vaultFile12434153038098896463.tmp

Filesize
3.0MB

MD5
032a47886b37474c68e22c9c9fd2d1c3

SHA1
0d9311f561d96860f06a9d00d451ccf25006b4ec

SHA256
e35a3c699c57413fd079e35bca26665eae12344a2c0e1157a9626d244fcda127

SHA512
e86abbefda47701b09542f28d4e784a14b1e4fb70deaf368326892cdebecf41e5b778a9c4e8647a6d82ef64a1a75cb8636494194a1e0c4dad26d908bd1a74d67

Download Submit
\Users\Admin\AppData\Local\Temp\is-EDVI9.tmp\HtmlInstaller.dll

Filesize
189KB

MD5
44d765266942c3504553a6531bf8463a

SHA1
40cbae17fde4c9dfe76495cde3b87abdeb4ce248

SHA256
0a961b983903269f0f1be0a26c66435c92c827e0b9d59f531db4de4dd0a06955

SHA512
7f64b95981a6dcaa5947e71a8f25a69ec0086d59ea446e921fa018b4529de15bc2d4f31183a978a55ae0cdf4fe79133cec541dffc15e02ed04a59501a15f9645

Download Submit
\Users\Admin\AppData\Local\Temp\is-EDVI9.tmp\Networking.dll

Filesize
33KB

MD5
2b3aeef8e06946089cc268ad84b1d66e

SHA1
87c28686b7c81681a9f21946243fec4c9715022f

SHA256
259702b8a727488eab22d885edfdbffba715b8a608db1609f0136ca3d9fbd899

SHA512
b35120423e1dea0397ce316013f7838bf6c31e229ec933cc026e411b25b42704a01c7779145c0f7a25c4aa523af22fb40d56844cc767f828349ba72a40f4aeeb

Download Submit
memory/1540-66-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1540-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/1540-70-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1540-0-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1664-31-0x00000000037C0000-0x00000000037D0000-memory.dmp

Filesize
64KB

Download
memory/1664-59-0x0000000074AE0000-0x0000000074B18000-memory.dmp

Filesize
224KB

Download
memory/1664-58-0x00000000068C0000-0x00000000068F8000-memory.dmp

Filesize
224KB

Download
memory/1664-32-0x0000000074A00000-0x0000000074A10000-memory.dmp

Filesize
64KB

Download
memory/1664-67-0x0000000000400000-0x000000000070D000-memory.dmp

Filesize
3.1MB

Download
memory/1664-9-0x0000000000400000-0x000000000070D000-memory.dmp

Filesize
3.1MB

Download