cf689dc252b7760d8a28a1dd60af34606a9a9fce46c8da5c3a671e8fd7cdcb4f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf689dc252b7760d8a28a1dd60af34606a9a9fce46c8da5c3a671e8fd7cdcb4f.exe
Size

3.9MB
MD5

65aada27caa7bfe938dac18e6fa832b8
SHA1

200a29376727e41a3cb5351beb63cf86dc09b2fd
SHA256

cf689dc252b7760d8a28a1dd60af34606a9a9fce46c8da5c3a671e8fd7cdcb4f
SHA512

0caad922b8611a1add70454649c4859737fde7ddff618807fecc9d5ba325d187d1b3aac8b61146f000944f0927326c39a8ac0110dc7ecad6dea4aece5b5678c8
SSDEEP

98304:tzk7BzeLydRNIjHGPFNkEUaqj4MN2MfIjHGP1DLxTm0B0IjHGPFNkEUaqj4MN2Mr:Zk7BzJRqK47aK4CnQKNDLtB5K47aK4Cr

Score

7^/10

discovery upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1048	cf689dc252b7760d8a28a1dd60af34606a9a9fce46c8da5c3a671e8fd7cdcb4f.exe

Executes dropped EXE 1 IoCs

pid	Process
1048	cf689dc252b7760d8a28a1dd60af34606a9a9fce46c8da5c3a671e8fd7cdcb4f.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2992-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/files/0x00090000000233dc-12.dat	upx
behavioral2/memory/1048-14-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
17	pastebin.com

Program crash 20 IoCs

pid	pid_target	Process	procid_target
832	1048	WerFault.exe	85
3584	1048	WerFault.exe	85
4124	1048	WerFault.exe	85
4060	1048	WerFault.exe	85
4384	1048	WerFault.exe	85
4020	1048	WerFault.exe	85
2756	1048	WerFault.exe	85
1972	1048	WerFault.exe	85
1544	1048	WerFault.exe	85
4336	1048	WerFault.exe	85
3320	1048	WerFault.exe	85
5056	1048	WerFault.exe	85
4248	1048	WerFault.exe	85
1812	1048	WerFault.exe	85
220	1048	WerFault.exe	85
2416	1048	WerFault.exe	85
336	1048	WerFault.exe	85
1516	1048	WerFault.exe	85
2228	1048	WerFault.exe	85
2252	1048	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf689dc252b7760d8a28a1dd60af34606a9a9fce46c8da5c3a671e8fd7cdcb4f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf689dc252b7760d8a28a1dd60af34606a9a9fce46c8da5c3a671e8fd7cdcb4f.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1380	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2992	cf689dc252b7760d8a28a1dd60af34606a9a9fce46c8da5c3a671e8fd7cdcb4f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2992	cf689dc252b7760d8a28a1dd60af34606a9a9fce46c8da5c3a671e8fd7cdcb4f.exe
1048	cf689dc252b7760d8a28a1dd60af34606a9a9fce46c8da5c3a671e8fd7cdcb4f.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 1048	2992	cf689dc252b7760d8a28a1dd60af34606a9a9fce46c8da5c3a671e8fd7cdcb4f.exe	85
PID 2992 wrote to memory of 1048	2992	cf689dc252b7760d8a28a1dd60af34606a9a9fce46c8da5c3a671e8fd7cdcb4f.exe	85
PID 2992 wrote to memory of 1048	2992	cf689dc252b7760d8a28a1dd60af34606a9a9fce46c8da5c3a671e8fd7cdcb4f.exe	85
PID 1048 wrote to memory of 1380	1048	cf689dc252b7760d8a28a1dd60af34606a9a9fce46c8da5c3a671e8fd7cdcb4f.exe	86
PID 1048 wrote to memory of 1380	1048	cf689dc252b7760d8a28a1dd60af34606a9a9fce46c8da5c3a671e8fd7cdcb4f.exe	86
PID 1048 wrote to memory of 1380	1048	cf689dc252b7760d8a28a1dd60af34606a9a9fce46c8da5c3a671e8fd7cdcb4f.exe	86
PID 1048 wrote to memory of 3272	1048	cf689dc252b7760d8a28a1dd60af34606a9a9fce46c8da5c3a671e8fd7cdcb4f.exe	89
PID 1048 wrote to memory of 3272	1048	cf689dc252b7760d8a28a1dd60af34606a9a9fce46c8da5c3a671e8fd7cdcb4f.exe	89
PID 1048 wrote to memory of 3272	1048	cf689dc252b7760d8a28a1dd60af34606a9a9fce46c8da5c3a671e8fd7cdcb4f.exe	89
PID 3272 wrote to memory of 3120	3272	cmd.exe	91
PID 3272 wrote to memory of 3120	3272	cmd.exe	91
PID 3272 wrote to memory of 3120	3272	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\cf689dc252b7760d8a28a1dd60af34606a9a9fce46c8da5c3a671e8fd7cdcb4f.exe
"C:\Users\Admin\AppData\Local\Temp\cf689dc252b7760d8a28a1dd60af34606a9a9fce46c8da5c3a671e8fd7cdcb4f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Local\Temp\cf689dc252b7760d8a28a1dd60af34606a9a9fce46c8da5c3a671e8fd7cdcb4f.exe
  C:\Users\Admin\AppData\Local\Temp\cf689dc252b7760d8a28a1dd60af34606a9a9fce46c8da5c3a671e8fd7cdcb4f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\cf689dc252b7760d8a28a1dd60af34606a9a9fce46c8da5c3a671e8fd7cdcb4f.exe" /TN tYhKbwya6b63 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1380
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN tYhKbwya6b63 > C:\Users\Admin\AppData\Local\Temp\Na74dS1BV.xml
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3272
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN tYhKbwya6b63
      4⤵
      System Location Discovery: System Language Discovery
      PID:3120
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 600
    3⤵
    - Program crash
    PID:832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 628
    3⤵
    - Program crash
    PID:3584
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 724
    3⤵
    - Program crash
    PID:4124
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 732
    3⤵
    - Program crash
    PID:4060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 632
    3⤵
    - Program crash
    PID:4384
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 780
    3⤵
    - Program crash
    PID:4020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 1476
    3⤵
    - Program crash
    PID:2756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 1548
    3⤵
    - Program crash
    PID:1972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 1744
    3⤵
    - Program crash
    PID:1544
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 1744
    3⤵
    - Program crash
    PID:4336
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 1568
    3⤵
    - Program crash
    PID:3320
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 1724
    3⤵
    - Program crash
    PID:5056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 1552
    3⤵
    - Program crash
    PID:4248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 1768
    3⤵
    - Program crash
    PID:1812
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 1784
    3⤵
    - Program crash
    PID:220
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 1824
    3⤵
    - Program crash
    PID:2416
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 1884
    3⤵
    - Program crash
    PID:336
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 1728
    3⤵
    - Program crash
    PID:1516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 1608
    3⤵
    - Program crash
    PID:2228
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 624
    3⤵
    - Program crash
    PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1048 -ip 1048
1⤵
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1048 -ip 1048
1⤵
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1048 -ip 1048
1⤵
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1048 -ip 1048
1⤵
PID:2896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1048 -ip 1048
1⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1048 -ip 1048
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1048 -ip 1048
1⤵
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1048 -ip 1048
1⤵
PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1048 -ip 1048
1⤵
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1048 -ip 1048
1⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1048 -ip 1048
1⤵
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1048 -ip 1048
1⤵
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1048 -ip 1048
1⤵
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1048 -ip 1048
1⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1048 -ip 1048
1⤵
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1048 -ip 1048
1⤵
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1048 -ip 1048
1⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1048 -ip 1048
1⤵
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1048 -ip 1048
1⤵
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1048 -ip 1048
1⤵
PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Na74dS1BV.xml

Filesize
1KB

MD5
77cde54fce8c47c9e58d0e5eeeee8572

SHA1
e26b21dc930c6132e655eb074d438b81c55a7643

SHA256
45f17dc55443c4563125106f0eccb7e7bf658e0e7fb335be264891b6cf9f4c36

SHA512
e1f996da374ee998306abcb4c45b1ae6d2c23b7f44562607ab3f9c461aa3c85e2fed957a81c700941b275aa4aba48dbc5afadfa555fabb754a84c60cbea85951

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf689dc252b7760d8a28a1dd60af34606a9a9fce46c8da5c3a671e8fd7cdcb4f.exe

Filesize
3.9MB

MD5
b15febcb4536d3c221c5ef53cc59431b

SHA1
771fc524930695e95a306dcf47c46d813be49adb

SHA256
0323b40c619252e49b38c7344592b47d556b138fa227dda944b526ca8d442db9

SHA512
67b97c8ecb899291cd5409e3f917c0dc83e2b0c362ef3a6408617f5345f4a1e67d858222427bc086b41a5030a61bd00d3ecac38510258d1282a57b39e39a8cf8

Download Submit
memory/1048-14-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1048-21-0x0000000025040000-0x00000000250BE000-memory.dmp

Filesize
504KB

Download
memory/1048-22-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/1048-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1048-44-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2992-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2992-7-0x0000000001720000-0x000000000179E000-memory.dmp

Filesize
504KB

Download
memory/2992-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2992-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads