Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 02:18
Static task
static1
Behavioral task
behavioral1
Sample
d05edc28492654541d48114072bc92e0be9431af44706af063bb919daf93af18.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
d05edc28492654541d48114072bc92e0be9431af44706af063bb919daf93af18.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240611-en
General
-
Target
d05edc28492654541d48114072bc92e0be9431af44706af063bb919daf93af18.exe
-
Size
928KB
-
MD5
4266d91c8633602759414cebaeec2ae2
-
SHA1
ba1dbcfb42cc7073e6fc8c2f75309bbea4dff3b6
-
SHA256
d05edc28492654541d48114072bc92e0be9431af44706af063bb919daf93af18
-
SHA512
fa083f2cc0da566a24b7bd259a680b94d03478b1988df230e990a364859b9b42ea7b6b4cb203efd321c870a8199b24e35f7f8632b83da7429cfec2f90ddf6314
-
SSDEEP
24576:oT5+tqOmwmFwIwoGxEt0h1XummOxYD/I1adA:mEtBL+wRom3nnuckA
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
Processes:
d05edc28492654541d48114072bc92e0be9431af44706af063bb919daf93af18.exepid process 1900 d05edc28492654541d48114072bc92e0be9431af44706af063bb919daf93af18.exe 1900 d05edc28492654541d48114072bc92e0be9431af44706af063bb919daf93af18.exe -
Drops file in Program Files directory 2 IoCs
Processes:
d05edc28492654541d48114072bc92e0be9431af44706af063bb919daf93af18.exedescription ioc process File opened for modification C:\Program Files (x86)\saerligt.ini d05edc28492654541d48114072bc92e0be9431af44706af063bb919daf93af18.exe File opened for modification C:\Program Files (x86)\Common Files\kancellistils\Antiabrasion.sti d05edc28492654541d48114072bc92e0be9431af44706af063bb919daf93af18.exe -
Drops file in Windows directory 2 IoCs
Processes:
d05edc28492654541d48114072bc92e0be9431af44706af063bb919daf93af18.exedescription ioc process File opened for modification C:\Windows\resources\0409\henviste.uns d05edc28492654541d48114072bc92e0be9431af44706af063bb919daf93af18.exe File opened for modification C:\Windows\Skorstenspibes\frimrkealbummets.ini d05edc28492654541d48114072bc92e0be9431af44706af063bb919daf93af18.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2652 1900 WerFault.exe d05edc28492654541d48114072bc92e0be9431af44706af063bb919daf93af18.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
d05edc28492654541d48114072bc92e0be9431af44706af063bb919daf93af18.exedescription pid process target process PID 1900 wrote to memory of 2652 1900 d05edc28492654541d48114072bc92e0be9431af44706af063bb919daf93af18.exe WerFault.exe PID 1900 wrote to memory of 2652 1900 d05edc28492654541d48114072bc92e0be9431af44706af063bb919daf93af18.exe WerFault.exe PID 1900 wrote to memory of 2652 1900 d05edc28492654541d48114072bc92e0be9431af44706af063bb919daf93af18.exe WerFault.exe PID 1900 wrote to memory of 2652 1900 d05edc28492654541d48114072bc92e0be9431af44706af063bb919daf93af18.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d05edc28492654541d48114072bc92e0be9431af44706af063bb919daf93af18.exe"C:\Users\Admin\AppData\Local\Temp\d05edc28492654541d48114072bc92e0be9431af44706af063bb919daf93af18.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 5402⤵
- Program crash
PID:2652
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD516d513397f3c1f8334e8f3e4fc49828f
SHA14ee15afca81ca6a13af4e38240099b730d6931f0
SHA256d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36
SHA5124a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3
-
Filesize
27B
MD5b93641813851b1ad166b8163e5aeddc9
SHA1642d989ceea62bcfd70fb74f3c62ade0c1c41d78
SHA2561628c6bee5afc85044309f45e34190bc9ce8bd9516e30792460e14362657d42d
SHA512eee31a0d51df3a7ba35ab4025f8d458c4d12b6f46412982ad34aef31d9e83c7070056a07777ed4b62fb3b92b376b618099374901ffe4f988fe0f853a0e57c8ec
-
Filesize
38B
MD5306942073b8a4457561e12735efb9411
SHA1b1cd498c9febaeb7c2aa4e57c30f118f50eaacb6
SHA2562f68a110d1297ef0a5752507719512451b5a9f00bf25e1392ad5ad3be968ea34
SHA51229b4c8dc5a083fde8e809ad3e87b76057116fa9820c15fbddb25913543d93d9475ce07137cd382d6ba9c71741f706bf5be4e13909e231b32164a189fdf95271c
-
Filesize
56B
MD58e6404beeb7e3c9538dadffcfb2645b8
SHA1270b1ee147d848a55d37ddf02e8eb7f847962cb0
SHA256d249e99e34d488c9c51113d432665f8d7b064ea22b259a7d5b563fdab5cc89b2
SHA5129e611fce0c6832f6d2608939c90761cbbbe20389a47538e1b61aeb81d1632486719bbd95c591208eafd49c1ee7bfb47253fa26520f10712c4ce65a03bc9547d4
-
Filesize
52B
MD55d04a35d3950677049c7a0cf17e37125
SHA1cafdd49a953864f83d387774b39b2657a253470f
SHA256a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266
SHA512c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b
-
Filesize
60B
MD5c5dc6b3c3c7f200f5a7ba47c2737c1de
SHA170b4e8baecdb4dce827ab98ffef9bd44e0552ee4
SHA25660d21a4adb44ea9bc7f98e4782eb655c65ecc018d98ff8850b4d5aa0b4346d18
SHA51299374495d22fc90ef81f0c705822006ffd921fb9e91aea7b2e93a492758ee43a73becb09a49be96ad6ba28fa47c267530669042e8de398f2b6bb10ed5a966283
-
Filesize
30B
MD5f15bfdebb2df02d02c8491bde1b4e9bd
SHA193bd46f57c3316c27cad2605ddf81d6c0bde9301
SHA256c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043
SHA5121757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1
-
Filesize
38B
MD564b06081504c11ef4062e43370b81357
SHA18c2e1d6f654a48964bf51a72e333dfebbd911b62
SHA2560782aa5c1895020e59632e92fe29a293160a19155fe53a6ff56af8c376cb5664
SHA512a0cdc124018d7bdb224d59a5d96e84a07f0f801290ee80881d6bffc7bb82edac5a768e8258217363610883c1ab73a79a2951c3bc29e93c9b7276627566551dee
-
Filesize
12KB
MD5d968cb2b98b83c03a9f02dd9b8df97dc
SHA1d784c9b7a92dce58a5038beb62a48ff509e166a0
SHA256a4ec98011ef99e595912718c1a1bf1aa67bfc2192575729d42f559d01f67b95c
SHA5122ee41dc68f329a1519a8073ece7d746c9f3bf45d8ef3b915deb376af37e26074134af5f83c8af0fe0ab227f0d1acca9f37e5ca7ae37c46c3bcc0331fe5e2b97e