933aa21150e88442c5a989aae6657b47031c4ba30f58b1d36820d8ecc86f5eff

Analysis

max time kernel
12s
max time network
10s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
15/06/2024, 00:00

Target

MonowareInstaller.exe
Size

1.6MB
MD5

541c037070e5b10957bc453786564cca
SHA1

8faca4a4bf0d24c1a813422d30254dafbeada20c
SHA256

933aa21150e88442c5a989aae6657b47031c4ba30f58b1d36820d8ecc86f5eff
SHA512

9c39ddcdbd9140b0bc409bb55489b508a828870d2cc2e9ec4bc76034756ac9669ef7afb5ca8f702d5f9d3148eb64221eddae50ee3ba918c8d344054a026b6cb7
SSDEEP

49152:pCqTq24GjdGSrkqXfd+/9Ann+zrEFydHQSZDg:U/WjdGSrkqXf0Fy2rcynB

Score

6^/10

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2832	2116	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2116	MonowareInstaller.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	MonowareInstaller.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2832	2116	MonowareInstaller.exe	29
PID 2116 wrote to memory of 2832	2116	MonowareInstaller.exe	29
PID 2116 wrote to memory of 2832	2116	MonowareInstaller.exe	29
PID 2116 wrote to memory of 2832	2116	MonowareInstaller.exe	29

C:\Users\Admin\AppData\Local\Temp\MonowareInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\MonowareInstaller.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 1476
  2⤵
  - Program crash
  PID:2832

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

memory/2116-0-0x0000000073F4E000-0x0000000073F4F000-memory.dmp

Filesize
4KB

Download
memory/2116-1-0x00000000011E0000-0x0000000001374000-memory.dmp

Filesize
1.6MB

Download
memory/2116-2-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/2116-3-0x0000000000680000-0x000000000069A000-memory.dmp

Filesize
104KB

Download
memory/2116-4-0x0000000000F00000-0x0000000000FB2000-memory.dmp

Filesize
712KB

Download
memory/2116-5-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download