340f6620d9e9e76d209f6e0f6fc51ff2bcc488d93385283465c84f0aba01c102

Analysis

max time kernel
96s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a4d4c67223ac058388d30cebd5ba170N.exe
Size

3.2MB
MD5

9a4d4c67223ac058388d30cebd5ba170
SHA1

f6991b5fcc527e0fa62ca0d756e64a76d78cdc7f
SHA256

340f6620d9e9e76d209f6e0f6fc51ff2bcc488d93385283465c84f0aba01c102
SHA512

70170fff44be60369b7844f22ba485604ff287f61bb17c4e4bec0009047299066d2c2da0f5e2b3fd94e4b46c820437b9c55f9e4ffbef2ec500f64721f658cd2a
SSDEEP

98304:VTKnhZcakcSCIps8cr9dcakcCCyt/PcakcSCIps8cr9dcakcO:kfdljss7dlC3ddljss7dlO

Score

7^/10

discovery upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3120	9a4d4c67223ac058388d30cebd5ba170N.exe

Executes dropped EXE 1 IoCs

pid	Process
3120	9a4d4c67223ac058388d30cebd5ba170N.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3700-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/files/0x000a0000000234a7-12.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
10	pastebin.com

Program crash 18 IoCs

pid	pid_target	Process	procid_target
1812	3120	WerFault.exe	86
4140	3120	WerFault.exe	86
1180	3120	WerFault.exe	86
2756	3120	WerFault.exe	86
3040	3120	WerFault.exe	86
2556	3120	WerFault.exe	86
1220	3120	WerFault.exe	86
2636	3120	WerFault.exe	86
3272	3120	WerFault.exe	86
1400	3120	WerFault.exe	86
740	3120	WerFault.exe	86
4196	3120	WerFault.exe	86
4476	3120	WerFault.exe	86
2528	3120	WerFault.exe	86
3544	3120	WerFault.exe	86
2352	3120	WerFault.exe	86
3148	3120	WerFault.exe	86
4708	3120	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9a4d4c67223ac058388d30cebd5ba170N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9a4d4c67223ac058388d30cebd5ba170N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3816	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3700	9a4d4c67223ac058388d30cebd5ba170N.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3700	9a4d4c67223ac058388d30cebd5ba170N.exe
3120	9a4d4c67223ac058388d30cebd5ba170N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3700 wrote to memory of 3120	3700	9a4d4c67223ac058388d30cebd5ba170N.exe	86
PID 3700 wrote to memory of 3120	3700	9a4d4c67223ac058388d30cebd5ba170N.exe	86
PID 3700 wrote to memory of 3120	3700	9a4d4c67223ac058388d30cebd5ba170N.exe	86
PID 3120 wrote to memory of 3816	3120	9a4d4c67223ac058388d30cebd5ba170N.exe	88
PID 3120 wrote to memory of 3816	3120	9a4d4c67223ac058388d30cebd5ba170N.exe	88
PID 3120 wrote to memory of 3816	3120	9a4d4c67223ac058388d30cebd5ba170N.exe	88
PID 3120 wrote to memory of 3116	3120	9a4d4c67223ac058388d30cebd5ba170N.exe	90
PID 3120 wrote to memory of 3116	3120	9a4d4c67223ac058388d30cebd5ba170N.exe	90
PID 3120 wrote to memory of 3116	3120	9a4d4c67223ac058388d30cebd5ba170N.exe	90
PID 3116 wrote to memory of 3376	3116	cmd.exe	92
PID 3116 wrote to memory of 3376	3116	cmd.exe	92
PID 3116 wrote to memory of 3376	3116	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\9a4d4c67223ac058388d30cebd5ba170N.exe
"C:\Users\Admin\AppData\Local\Temp\9a4d4c67223ac058388d30cebd5ba170N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3700
- C:\Users\Admin\AppData\Local\Temp\9a4d4c67223ac058388d30cebd5ba170N.exe
  C:\Users\Admin\AppData\Local\Temp\9a4d4c67223ac058388d30cebd5ba170N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\9a4d4c67223ac058388d30cebd5ba170N.exe" /TN tYhKbwya6b63 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3816
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN tYhKbwya6b63 > C:\Users\Admin\AppData\Local\Temp\liGQZCla.xml
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3116
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN tYhKbwya6b63
      4⤵
      System Location Discovery: System Language Discovery
      PID:3376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 604
    3⤵
    - Program crash
    PID:1812
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 604
    3⤵
    - Program crash
    PID:4140
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 716
    3⤵
    - Program crash
    PID:1180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 720
    3⤵
    - Program crash
    PID:2756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 736
    3⤵
    - Program crash
    PID:3040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 648
    3⤵
    - Program crash
    PID:2556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1456
    3⤵
    - Program crash
    PID:1220
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1468
    3⤵
    - Program crash
    PID:2636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1744
    3⤵
    - Program crash
    PID:3272
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1528
    3⤵
    - Program crash
    PID:1400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1576
    3⤵
    - Program crash
    PID:740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1452
    3⤵
    - Program crash
    PID:4196
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1580
    3⤵
    - Program crash
    PID:4476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1464
    3⤵
    - Program crash
    PID:2528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1528
    3⤵
    - Program crash
    PID:3544
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1696
    3⤵
    - Program crash
    PID:2352
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1540
    3⤵
    - Program crash
    PID:3148
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1584
    3⤵
    - Program crash
    PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 3120 -ip 3120
1⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3120 -ip 3120
1⤵
PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3120 -ip 3120
1⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3120 -ip 3120
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3120 -ip 3120
1⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3120 -ip 3120
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3120 -ip 3120
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3120 -ip 3120
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 3120 -ip 3120
1⤵
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3120 -ip 3120
1⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3120 -ip 3120
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3120 -ip 3120
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3120 -ip 3120
1⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3120 -ip 3120
1⤵
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3120 -ip 3120
1⤵
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3120 -ip 3120
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3120 -ip 3120
1⤵
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3120 -ip 3120
1⤵
PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9a4d4c67223ac058388d30cebd5ba170N.exe

Filesize
3.2MB

MD5
499d11614a51fa02e08cc4db435e3421

SHA1
8e58d1bc34188c295990e411b2e26fffdc28b77e

SHA256
8e2f3daa9f806a23f1291478223c8bd855ce7ef4537caec92e94d85d20fca179

SHA512
574b5a294288abc1f788a3f87c59fe787d7a4f3d2e22bf8e08ebf64f5a61f763bf378e81709f3df654f8fe99535f5a2ff754f8db7532a7b9ccfdaf28dd5b5ca5

Download Submit
memory/3120-21-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3120-20-0x0000000001720000-0x000000000179E000-memory.dmp

Filesize
504KB

Download
memory/3120-22-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/3120-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3120-45-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3700-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3700-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3700-7-0x0000000025000000-0x000000002507E000-memory.dmp

Filesize
504KB

Download
memory/3700-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads