Analysis
-
max time kernel
146s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
13-07-2024 18:39
Static task
static1
Behavioral task
behavioral1
Sample
036e19f0bedf8ccd4403759aef053130N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
036e19f0bedf8ccd4403759aef053130N.exe
Resource
win10v2004-20240709-en
General
-
Target
036e19f0bedf8ccd4403759aef053130N.exe
-
Size
68KB
-
MD5
036e19f0bedf8ccd4403759aef053130
-
SHA1
244fdc88a1c999ccaea4eb8f74be3101fdc0395e
-
SHA256
ac454fa278ee26a72d6720bac89bd4624d0e611afa1dae421a290454dc3848b3
-
SHA512
97c43c97fd8a89aa7d8ade1b9f98878b2015e09f8a4bbb48fc80efdb6a43e60cba542004e6e38e08db44f81a2ad30b1b3eb04dd73c7925992ea8b7db53344257
-
SSDEEP
768:9waGd7Lw/nrrxDL/GOv2/w6HSa0fYSPNZsxRXQ1d2yg/QmWKHZyiVlaW4OHZ0Em:947urp3v23HSa0AMNyfQ1d2y4Z4P
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3040 2648 WerFault.exe winver.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
winver.exepid process 2648 winver.exe 2648 winver.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 3288 Explorer.EXE Token: SeCreatePagefilePrivilege 3288 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 2648 winver.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
036e19f0bedf8ccd4403759aef053130N.exepid process 4140 036e19f0bedf8ccd4403759aef053130N.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3288 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
036e19f0bedf8ccd4403759aef053130N.exe036e19f0bedf8ccd4403759aef053130N.exewinver.exedescription pid process target process PID 4140 wrote to memory of 672 4140 036e19f0bedf8ccd4403759aef053130N.exe 036e19f0bedf8ccd4403759aef053130N.exe PID 4140 wrote to memory of 672 4140 036e19f0bedf8ccd4403759aef053130N.exe 036e19f0bedf8ccd4403759aef053130N.exe PID 4140 wrote to memory of 672 4140 036e19f0bedf8ccd4403759aef053130N.exe 036e19f0bedf8ccd4403759aef053130N.exe PID 4140 wrote to memory of 672 4140 036e19f0bedf8ccd4403759aef053130N.exe 036e19f0bedf8ccd4403759aef053130N.exe PID 4140 wrote to memory of 672 4140 036e19f0bedf8ccd4403759aef053130N.exe 036e19f0bedf8ccd4403759aef053130N.exe PID 4140 wrote to memory of 672 4140 036e19f0bedf8ccd4403759aef053130N.exe 036e19f0bedf8ccd4403759aef053130N.exe PID 4140 wrote to memory of 672 4140 036e19f0bedf8ccd4403759aef053130N.exe 036e19f0bedf8ccd4403759aef053130N.exe PID 4140 wrote to memory of 672 4140 036e19f0bedf8ccd4403759aef053130N.exe 036e19f0bedf8ccd4403759aef053130N.exe PID 4140 wrote to memory of 672 4140 036e19f0bedf8ccd4403759aef053130N.exe 036e19f0bedf8ccd4403759aef053130N.exe PID 4140 wrote to memory of 672 4140 036e19f0bedf8ccd4403759aef053130N.exe 036e19f0bedf8ccd4403759aef053130N.exe PID 4140 wrote to memory of 672 4140 036e19f0bedf8ccd4403759aef053130N.exe 036e19f0bedf8ccd4403759aef053130N.exe PID 4140 wrote to memory of 672 4140 036e19f0bedf8ccd4403759aef053130N.exe 036e19f0bedf8ccd4403759aef053130N.exe PID 672 wrote to memory of 2648 672 036e19f0bedf8ccd4403759aef053130N.exe winver.exe PID 672 wrote to memory of 2648 672 036e19f0bedf8ccd4403759aef053130N.exe winver.exe PID 672 wrote to memory of 2648 672 036e19f0bedf8ccd4403759aef053130N.exe winver.exe PID 672 wrote to memory of 2648 672 036e19f0bedf8ccd4403759aef053130N.exe winver.exe PID 2648 wrote to memory of 3288 2648 winver.exe Explorer.EXE PID 2648 wrote to memory of 2520 2648 winver.exe sihost.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\036e19f0bedf8ccd4403759aef053130N.exe"C:\Users\Admin\AppData\Local\Temp\036e19f0bedf8ccd4403759aef053130N.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\036e19f0bedf8ccd4403759aef053130N.exe"C:\Users\Admin\AppData\Local\Temp\036e19f0bedf8ccd4403759aef053130N.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 6365⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2648 -ip 26481⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/672-5-0x0000000000400000-0x0000000000404A00-memory.dmpFilesize
18KB
-
memory/672-4-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/2520-14-0x0000000000D40000-0x0000000000D47000-memory.dmpFilesize
28KB
-
memory/2520-15-0x0000000000D40000-0x0000000000D47000-memory.dmpFilesize
28KB
-
memory/2648-11-0x0000000000C20000-0x0000000000C32000-memory.dmpFilesize
72KB
-
memory/2648-10-0x0000000000C21000-0x0000000000C22000-memory.dmpFilesize
4KB
-
memory/2648-7-0x00000000009E0000-0x00000000009E7000-memory.dmpFilesize
28KB
-
memory/2648-16-0x00000000009E0000-0x00000000009E7000-memory.dmpFilesize
28KB
-
memory/3288-6-0x0000000000B60000-0x0000000000B67000-memory.dmpFilesize
28KB
-
memory/3288-9-0x0000000000B60000-0x0000000000B67000-memory.dmpFilesize
28KB
-
memory/3288-12-0x00007FFD85EED000-0x00007FFD85EEE000-memory.dmpFilesize
4KB
-
memory/4140-2-0x0000000002080000-0x0000000002086000-memory.dmpFilesize
24KB
-
memory/4140-3-0x0000000002080000-0x0000000002086000-memory.dmpFilesize
24KB