fbb5302b06f7e6824ecdaf59162f3a08557cac0efe6b40b4502eab60ecd04d82

Resubmissions

13-06-2024 20:46

240613-zkd4nazcpd 6

13-06-2024 20:42

240613-zgzwystdpn 6

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f_0051d6.exe
Size

3.2MB
MD5

13ca60d73776b420ada5cc15848f8dfb
SHA1

22bece82795e9c60d76c19f22f777f3b19af10d8
SHA256

fbb5302b06f7e6824ecdaf59162f3a08557cac0efe6b40b4502eab60ecd04d82
SHA512

7074d3fb777563a94dde036cab647cfc72c115e140343ec25f6921a5689b4d381b60012dfa0fb2b1ea17621ff90ca4c225cd3f2e71c1a6bab935c33610f4dafc
SSDEEP

98304:VSiRz+JwCh4p8zdpHzEugKdTHvjgJLTiH7BUB:3zI48v1r1EsY

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
16	api.keen.io
17	api.keen.io

Executes dropped EXE 1 IoCs

pid	Process
4820	f_0051d6.tmp

Loads dropped DLL 3 IoCs

pid	Process
4820	f_0051d6.tmp
4820	f_0051d6.tmp
4820	f_0051d6.tmp

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1948	4820	WerFault.exe	91
5052	4820	WerFault.exe	91

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	8	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	17	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	24	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 4820	4436	f_0051d6.exe	91
PID 4436 wrote to memory of 4820	4436	f_0051d6.exe	91
PID 4436 wrote to memory of 4820	4436	f_0051d6.exe	91

C:\Users\Admin\AppData\Local\Temp\f_0051d6.exe
"C:\Users\Admin\AppData\Local\Temp\f_0051d6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Users\Admin\AppData\Local\Temp\is-0936M.tmp\f_0051d6.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-0936M.tmp\f_0051d6.tmp" /SL5="$701CA,2484196,893952,C:\Users\Admin\AppData\Local\Temp\f_0051d6.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1944
    3⤵
    - Program crash
    PID:1948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1944
    3⤵
    - Program crash
    PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4820 -ip 4820
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4820 -ip 4820
1⤵
PID:2568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-0936M.tmp\f_0051d6.tmp

Filesize
3.0MB

MD5
5c6dc4f810bf08224a748763e915d294

SHA1
57e9256e9aeaafd45e4bdc8461f5fcb73f65302e

SHA256
44f80edcbb47c543b362916340af40e5e0f5fa38c1c17713af1ab463d1389e9d

SHA512
8a834ad640ea17ff74d4956d968fe4f5dc657f8fe152eaab778363b2d301733eca2ae01227e20ed9ed88b9eaabe2914a1e388ecea214effdce6725dd28164a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T0JBF.tmp\Win32Library.dll

Filesize
46KB

MD5
564f2dfb6bef1f47798dfb5d182232f0

SHA1
290a5ad705a85e7fb26efcdc5374cd39738ad242

SHA256
671fb4649ddd8428c7f6fd1e14b30fd4735efbbb8c142e2662e157d87f96c9c0

SHA512
492091b1ecb0e36f3d01a7b6d516d836224966dc6e8ec9bcdc2254d252f9530c9b9b45ac10d5216761d557cda2454e3d53060b42e55f6a95631baca29199926b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T0JBF.tmp\onelaunch.png

Filesize
70KB

MD5
d3110fb775ee7fd24426503d67840c25

SHA1
54f649c8bf3af2ad3a4d92cd8b1397bad1a49a75

SHA256
f8392390dc81756e79ec5f359dbdcac3b4bd219b5188a429b814fc51aabb6e36

SHA512
f6b79f728be17c9060edb2df2dac2b0f59a4dffd8c416e7e957bc3fa4696f4237e5969647309f5425a6297f189e351e20c99c642f90d1476050285929657c32f

Download Submit
memory/4436-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4436-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4436-47-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4436-44-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4820-6-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/4820-26-0x0000000008FD0000-0x0000000009062000-memory.dmp

Filesize
584KB

Download
memory/4820-25-0x0000000074640000-0x0000000074654000-memory.dmp

Filesize
80KB

Download
memory/4820-42-0x00000000037C0000-0x0000000003900000-memory.dmp

Filesize
1.2MB

Download
memory/4820-43-0x00000000037C0000-0x0000000003900000-memory.dmp

Filesize
1.2MB

Download
memory/4820-24-0x0000000008FB0000-0x0000000008FC4000-memory.dmp

Filesize
80KB

Download
memory/4820-45-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/4820-20-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download