Overview
overview
10Static
static
1008751be484...2d.dll
windows7-x64
1008751be484...2d.dll
windows10-2004-x64
100a9f79abd4...51.exe
windows7-x64
30a9f79abd4...51.exe
windows10-2004-x64
31.bin/1.exe
windows7-x64
101.bin/1.exe
windows10-2004-x64
102019-09-02...10.exe
windows7-x64
102019-09-02...10.exe
windows10-2004-x64
102b5e50bc30...ba.dll
windows7-x64
102b5e50bc30...ba.dll
windows10-2004-x64
102c01b00772...eb.exe
windows7-x64
102c01b00772...eb.exe
windows10-2004-x64
1031.exe
windows7-x64
1031.exe
windows10-2004-x64
103DMark 11 ...on.exe
windows7-x64
13DMark 11 ...on.exe
windows10-2004-x64
142f9729255...61.exe
windows7-x64
1042f9729255...61.exe
windows10-2004-x64
1042f9729255...1).exe
windows7-x64
1042f9729255...1).exe
windows10-2004-x64
105da0116af4...18.exe
windows7-x64
75da0116af4...18.exe
windows10-2004-x64
769c56d12ed...6b.exe
windows7-x64
1069c56d12ed...6b.exe
windows10-2004-x64
106a9e7107c9...91.exe
windows7-x64
106a9e7107c9...91.exe
windows10-2004-x64
10905d572f23...50.exe
windows7-x64
10905d572f23...50.exe
windows10-2004-x64
10948340be97...54.exe
windows7-x64
10948340be97...54.exe
windows10-2004-x64
1095560f1a46...f9.dll
windows7-x64
195560f1a46...f9.dll
windows10-2004-x64
5Resubmissions
03-07-2024 16:04
240703-thygmaycpc 1001-07-2024 18:12
240701-ws6xvswbkj 1001-07-2024 18:03
240701-wm5sls1gka 1001-07-2024 18:03
240701-wm39sa1gjf 1001-07-2024 18:03
240701-wm2e7avhkj 1001-07-2024 18:03
240701-wmzxcs1fre 1001-07-2024 18:02
240701-wmzats1frc 1001-07-2024 18:02
240701-wmvbwa1fqh 1022-11-2023 17:02
231122-vkac9adg64 10Analysis
-
max time kernel
14s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 18:03
Static task
static1
Behavioral task
behavioral1
Sample
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
1.bin/1.exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
1.bin/1.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
2019-09-02_22-41-10.exe
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
2019-09-02_22-41-10.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
2b5e50bc3077610128051bc3e657c3f0e331fb8fed2559c6596911890ea866ba.dll
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
2b5e50bc3077610128051bc3e657c3f0e331fb8fed2559c6596911890ea866ba.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
2c01b007729230c415420ad641ad92eb.exe
Resource
win7-20240611-en
Behavioral task
behavioral12
Sample
2c01b007729230c415420ad641ad92eb.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
31.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
31.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
3DMark 11 Advanced Edition.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
42f972925508a82236e8533567487761.exe
Resource
win7-20240419-en
Behavioral task
behavioral18
Sample
42f972925508a82236e8533567487761.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
42f972925508a82236e8533567487761(1).exe
Resource
win7-20240611-en
Behavioral task
behavioral20
Sample
42f972925508a82236e8533567487761(1).exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win7-20240611-en
Behavioral task
behavioral22
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Resource
win7-20240611-en
Behavioral task
behavioral24
Sample
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral25
Sample
6a9e7107c97762eb1196a64baeadb291.exe
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
6a9e7107c97762eb1196a64baeadb291.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Resource
win7-20231129-en
Behavioral task
behavioral28
Sample
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral29
Sample
948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
Resource
win7-20240508-en
Behavioral task
behavioral30
Sample
948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral31
Sample
95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.dll
Resource
win7-20231129-en
Behavioral task
behavioral32
Sample
95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.dll
Resource
win10v2004-20240611-en
General
-
Target
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
-
Size
669KB
-
MD5
ead18f3a909685922d7213714ea9a183
-
SHA1
1270bd7fd62acc00447b30f066bb23f4745869bf
-
SHA256
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18
-
SHA512
6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91
-
SSDEEP
6144:bLUHLyHlwFjxDi2nEZkQ4NXxp0XMgkBWPqdN/jGdfYY7SRA7j4YlvfYAAjJ:4uFi02nEZh4jp0XLuxGdgTm73vL
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
pid Process 724 icacls.exe -
resource yara_rule behavioral22/memory/4788-0-0x0000000000400000-0x00000000004A9000-memory.dmp upx behavioral22/files/0x00080000000233af-6.dat upx behavioral22/memory/2428-7-0x0000000000400000-0x00000000004A9000-memory.dmp upx behavioral22/memory/1276-21-0x0000000000400000-0x00000000004A9000-memory.dmp upx behavioral22/memory/1200-20-0x0000000000400000-0x00000000004A9000-memory.dmp upx behavioral22/memory/5048-28-0x0000000000400000-0x00000000004A9000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\420094c8-bb06-43a5-af67-61bfe49db466\\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe\" --AutoStart" 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 api.2ip.ua 3 api.2ip.ua 7 api.2ip.ua 18 api.2ip.ua -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 4868 4788 WerFault.exe 79 1080 5048 WerFault.exe 96 4896 1200 WerFault.exe 94 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4788 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 4788 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4788 wrote to memory of 724 4788 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 80 PID 4788 wrote to memory of 724 4788 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 80 PID 4788 wrote to memory of 724 4788 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\420094c8-bb06-43a5-af67-61bfe49db466" /deny *S-1-1-0:(OI)(CI)(DE,DC)2⤵
- Modifies file permissions
PID:724
-
-
C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Admin IsNotAutoStart IsNotTask2⤵PID:2428
-
C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsNotTask3⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 1200 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt14⤵PID:5048
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 12965⤵
- Program crash
PID:1080
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 14404⤵
- Program crash
PID:4896
-
-
-
C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2428 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt13⤵PID:1276
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 13682⤵
- Program crash
PID:4868
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4788 -ip 47881⤵PID:4900
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5048 -ip 50481⤵PID:180
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1200 -ip 12001⤵PID:3604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\420094c8-bb06-43a5-af67-61bfe49db466\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Filesize669KB
MD5ead18f3a909685922d7213714ea9a183
SHA11270bd7fd62acc00447b30f066bb23f4745869bf
SHA2565da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18
SHA5126e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91