Analysis
-
max time kernel
118s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
18-07-2024 02:33
Static task
static1
Behavioral task
behavioral1
Sample
513acf39d9487001fe6728bdc9b6ae40N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
513acf39d9487001fe6728bdc9b6ae40N.exe
Resource
win10v2004-20240709-en
General
-
Target
513acf39d9487001fe6728bdc9b6ae40N.exe
-
Size
225KB
-
MD5
513acf39d9487001fe6728bdc9b6ae40
-
SHA1
3f2516b9fbe6d7f4e20c532a6a053754f8e10933
-
SHA256
d6d7547704f7dab0ac5dd96348ea26c625c3d87018d82d2b0aada4de938a8961
-
SHA512
0d2ca6804deb866fe9e528fcd11822dc11a0c14b1adfdc37693d83e69a0e312560c550dc9afcd93347623756ff00253f5b7daa78c8fd886ca89e28ced52cb9d0
-
SSDEEP
6144:oA2P27yTAnKGw0hjFhSR/W11yAJ9v0pMtRCpYM:oATuTAnKGwUAW3ycQqgf
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1176 3712 WerFault.exe winver.exe 5092 880 WerFault.exe 513acf39d9487001fe6728bdc9b6ae40N.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
513acf39d9487001fe6728bdc9b6ae40N.exepid process 880 513acf39d9487001fe6728bdc9b6ae40N.exe 880 513acf39d9487001fe6728bdc9b6ae40N.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 3552 Explorer.EXE Token: SeCreatePagefilePrivilege 3552 Explorer.EXE Token: SeShutdownPrivilege 3552 Explorer.EXE Token: SeCreatePagefilePrivilege 3552 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
winver.exe513acf39d9487001fe6728bdc9b6ae40N.exepid process 3712 winver.exe 880 513acf39d9487001fe6728bdc9b6ae40N.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3552 Explorer.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
513acf39d9487001fe6728bdc9b6ae40N.exewinver.exedescription pid process target process PID 880 wrote to memory of 3712 880 513acf39d9487001fe6728bdc9b6ae40N.exe winver.exe PID 880 wrote to memory of 3712 880 513acf39d9487001fe6728bdc9b6ae40N.exe winver.exe PID 880 wrote to memory of 3712 880 513acf39d9487001fe6728bdc9b6ae40N.exe winver.exe PID 880 wrote to memory of 3712 880 513acf39d9487001fe6728bdc9b6ae40N.exe winver.exe PID 3712 wrote to memory of 3552 3712 winver.exe Explorer.EXE PID 880 wrote to memory of 3552 880 513acf39d9487001fe6728bdc9b6ae40N.exe Explorer.EXE PID 880 wrote to memory of 2676 880 513acf39d9487001fe6728bdc9b6ae40N.exe sihost.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\513acf39d9487001fe6728bdc9b6ae40N.exe"C:\Users\Admin\AppData\Local\Temp\513acf39d9487001fe6728bdc9b6ae40N.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver3⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 3044⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 8883⤵
- Program crash
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3712 -ip 37121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 880 -ip 8801⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/880-1-0x0000000004580000-0x0000000004BD8000-memory.dmpFilesize
6.3MB
-
memory/880-2-0x0000000003D80000-0x0000000003D81000-memory.dmpFilesize
4KB
-
memory/880-6-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/880-11-0x0000000005790000-0x0000000006190000-memory.dmpFilesize
10.0MB
-
memory/880-18-0x0000000004580000-0x0000000004BD8000-memory.dmpFilesize
6.3MB
-
memory/880-14-0x0000000005790000-0x0000000006190000-memory.dmpFilesize
10.0MB
-
memory/2676-13-0x0000000000030000-0x0000000000036000-memory.dmpFilesize
24KB
-
memory/2676-19-0x0000000000030000-0x0000000000036000-memory.dmpFilesize
24KB
-
memory/3552-5-0x0000000002370000-0x0000000002376000-memory.dmpFilesize
24KB
-
memory/3552-4-0x0000000002370000-0x0000000002376000-memory.dmpFilesize
24KB
-
memory/3552-10-0x0000000002380000-0x0000000002386000-memory.dmpFilesize
24KB