Analysis
-
max time kernel
130s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
14-07-2024 13:04
Static task
static1
Behavioral task
behavioral1
Sample
0243aad4ee7274a8dbaab8b4626a20b0N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
0243aad4ee7274a8dbaab8b4626a20b0N.exe
Resource
win10v2004-20240709-en
General
-
Target
0243aad4ee7274a8dbaab8b4626a20b0N.exe
-
Size
225KB
-
MD5
0243aad4ee7274a8dbaab8b4626a20b0
-
SHA1
54bf79dccbda8dcb234037782ecae168805af5a8
-
SHA256
7d4d65476e5ea0d34bcfef154c650be24d38ff58d3b024c1e11052feb68dbc23
-
SHA512
2b5adf2b1716ff22f89719263e81bf0bbd3f1bd0bb825df1d769284fee5df22163a98e971e7e018a3d0e56269d0bec89636115f3b4b19f1727a6f1d3e4766434
-
SSDEEP
6144:7A2P27yTAnKGw0hjFhSR/W11yAJ9v0pMtRCpYM:7ATuTAnKGwUAW3ycQqgf
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1904 4624 WerFault.exe winver.exe 4844 536 WerFault.exe 0243aad4ee7274a8dbaab8b4626a20b0N.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 3376 Explorer.EXE Token: SeCreatePagefilePrivilege 3376 Explorer.EXE Token: SeShutdownPrivilege 3376 Explorer.EXE Token: SeCreatePagefilePrivilege 3376 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
winver.exe0243aad4ee7274a8dbaab8b4626a20b0N.exepid process 4624 winver.exe 536 0243aad4ee7274a8dbaab8b4626a20b0N.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0243aad4ee7274a8dbaab8b4626a20b0N.exewinver.exedescription pid process target process PID 536 wrote to memory of 4624 536 0243aad4ee7274a8dbaab8b4626a20b0N.exe winver.exe PID 536 wrote to memory of 4624 536 0243aad4ee7274a8dbaab8b4626a20b0N.exe winver.exe PID 536 wrote to memory of 4624 536 0243aad4ee7274a8dbaab8b4626a20b0N.exe winver.exe PID 536 wrote to memory of 4624 536 0243aad4ee7274a8dbaab8b4626a20b0N.exe winver.exe PID 4624 wrote to memory of 3376 4624 winver.exe Explorer.EXE PID 536 wrote to memory of 3376 536 0243aad4ee7274a8dbaab8b4626a20b0N.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\0243aad4ee7274a8dbaab8b4626a20b0N.exe"C:\Users\Admin\AppData\Local\Temp\0243aad4ee7274a8dbaab8b4626a20b0N.exe"2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver3⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 3004⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 7763⤵
- Program crash
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4624 -ip 46241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 536 -ip 5361⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/536-1-0x0000000004690000-0x0000000004CE8000-memory.dmpFilesize
6.3MB
-
memory/536-2-0x0000000003D00000-0x0000000003D01000-memory.dmpFilesize
4KB
-
memory/536-6-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/536-13-0x0000000004690000-0x0000000004CE8000-memory.dmpFilesize
6.3MB
-
memory/3376-4-0x00000000013F0000-0x00000000013F6000-memory.dmpFilesize
24KB
-
memory/3376-5-0x00000000013F0000-0x00000000013F6000-memory.dmpFilesize
24KB
-
memory/3376-10-0x0000000001600000-0x0000000001606000-memory.dmpFilesize
24KB