ae0fb0cb24696eb2b1f11ee00f7cad4b8bda35f8e6172511785aef132f6322d6

Analysis

max time kernel
104s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2024 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efb0c5aa5b5273176f7f41054f622380N.exe
Size

508KB
MD5

efb0c5aa5b5273176f7f41054f622380
SHA1

04618613ca757544da4ca71e073d43867689304b
SHA256

ae0fb0cb24696eb2b1f11ee00f7cad4b8bda35f8e6172511785aef132f6322d6
SHA512

d790a7f8b6405f58d6620018b5c5704ad6c30aa0cc9c522c627033f1741d3bbaef57d688aea2688f9b914bb952a0f65e2509aecffda428a9a439409b5422fe65
SSDEEP

12288:ChL7TwSoeD2Rt3knwbsKt4tj+xtrYxCQH:Cd7T6eTItrYFH

Score

7^/10

discovery upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4012	efb0c5aa5b5273176f7f41054f622380N.exe

Executes dropped EXE 1 IoCs

pid	Process
4012	efb0c5aa5b5273176f7f41054f622380N.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4064-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/files/0x000800000002346b-12.dat	upx
behavioral2/memory/4012-14-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
15	pastebin.com

Program crash 19 IoCs

pid	pid_target	Process	procid_target
3240	4012	WerFault.exe	85
2120	4012	WerFault.exe	85
2828	4012	WerFault.exe	85
3472	4012	WerFault.exe	85
3712	4012	WerFault.exe	85
3408	4012	WerFault.exe	85
1740	4012	WerFault.exe	85
4912	4012	WerFault.exe	85
2380	4012	WerFault.exe	85
1924	4012	WerFault.exe	85
2312	4012	WerFault.exe	85
4876	4012	WerFault.exe	85
1464	4012	WerFault.exe	85
1364	4012	WerFault.exe	85
4956	4012	WerFault.exe	85
4060	4012	WerFault.exe	85
3620	4012	WerFault.exe	85
1764	4012	WerFault.exe	85
5076	4012	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efb0c5aa5b5273176f7f41054f622380N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efb0c5aa5b5273176f7f41054f622380N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4916	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4064	efb0c5aa5b5273176f7f41054f622380N.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4064	efb0c5aa5b5273176f7f41054f622380N.exe
4012	efb0c5aa5b5273176f7f41054f622380N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4064 wrote to memory of 4012	4064	efb0c5aa5b5273176f7f41054f622380N.exe	85
PID 4064 wrote to memory of 4012	4064	efb0c5aa5b5273176f7f41054f622380N.exe	85
PID 4064 wrote to memory of 4012	4064	efb0c5aa5b5273176f7f41054f622380N.exe	85
PID 4012 wrote to memory of 4916	4012	efb0c5aa5b5273176f7f41054f622380N.exe	86
PID 4012 wrote to memory of 4916	4012	efb0c5aa5b5273176f7f41054f622380N.exe	86
PID 4012 wrote to memory of 4916	4012	efb0c5aa5b5273176f7f41054f622380N.exe	86
PID 4012 wrote to memory of 3748	4012	efb0c5aa5b5273176f7f41054f622380N.exe	88
PID 4012 wrote to memory of 3748	4012	efb0c5aa5b5273176f7f41054f622380N.exe	88
PID 4012 wrote to memory of 3748	4012	efb0c5aa5b5273176f7f41054f622380N.exe	88
PID 3748 wrote to memory of 1916	3748	cmd.exe	90
PID 3748 wrote to memory of 1916	3748	cmd.exe	90
PID 3748 wrote to memory of 1916	3748	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\efb0c5aa5b5273176f7f41054f622380N.exe
"C:\Users\Admin\AppData\Local\Temp\efb0c5aa5b5273176f7f41054f622380N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Users\Admin\AppData\Local\Temp\efb0c5aa5b5273176f7f41054f622380N.exe
  C:\Users\Admin\AppData\Local\Temp\efb0c5aa5b5273176f7f41054f622380N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\efb0c5aa5b5273176f7f41054f622380N.exe" /TN RYTvY5fia886 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4916
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN RYTvY5fia886 > C:\Users\Admin\AppData\Local\Temp\DxHz6.xml
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3748
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN RYTvY5fia886
      4⤵
      System Location Discovery: System Language Discovery
      PID:1916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 564
    3⤵
    - Program crash
    PID:3240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 648
    3⤵
    - Program crash
    PID:2120
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 724
    3⤵
    - Program crash
    PID:2828
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 744
    3⤵
    - Program crash
    PID:3472
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 712
    3⤵
    - Program crash
    PID:3712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 796
    3⤵
    - Program crash
    PID:3408
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1500
    3⤵
    - Program crash
    PID:1740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1396
    3⤵
    - Program crash
    PID:4912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1744
    3⤵
    - Program crash
    PID:2380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1376
    3⤵
    - Program crash
    PID:1924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1752
    3⤵
    - Program crash
    PID:2312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1712
    3⤵
    - Program crash
    PID:4876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1572
    3⤵
    - Program crash
    PID:1464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1264
    3⤵
    - Program crash
    PID:1364
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1744
    3⤵
    - Program crash
    PID:4956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1756
    3⤵
    - Program crash
    PID:4060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1792
    3⤵
    - Program crash
    PID:3620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1264
    3⤵
    - Program crash
    PID:1764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1708
    3⤵
    - Program crash
    PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4012 -ip 4012
1⤵
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4012 -ip 4012
1⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4012 -ip 4012
1⤵
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4012 -ip 4012
1⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4012 -ip 4012
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4012 -ip 4012
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4012 -ip 4012
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4012 -ip 4012
1⤵
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4012 -ip 4012
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4012 -ip 4012
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4012 -ip 4012
1⤵
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4012 -ip 4012
1⤵
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4012 -ip 4012
1⤵
PID:832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4012 -ip 4012
1⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4012 -ip 4012
1⤵
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4012 -ip 4012
1⤵
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4012 -ip 4012
1⤵
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4012 -ip 4012
1⤵
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4012 -ip 4012
1⤵
PID:4688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DxHz6.xml

Filesize
1KB

MD5
21b8ec53d36cbe7e3766a150a31d67db

SHA1
97add91928d574b7e00a26e6f6b29ae2153b2f0b

SHA256
6c68c72aeaceefb119e15acd1f7113dd5f09c50290c913e96048eba34ef8caa7

SHA512
056928b71bab0c1eb845d2c3236124ec133b9025547a019734e145c0f4998b1dc0d07a4e2f9f45da5101829ad0721f047d8a27eb4c34dcc79260b8797a1dc2d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\efb0c5aa5b5273176f7f41054f622380N.exe

Filesize
508KB

MD5
40a2b5f70f52c787299ba5f7fb092c79

SHA1
f0231892edf97410e4b15b0107d83a4bf256349a

SHA256
447046276f0597c76477ecfc30c941619ba7c8db23910393da1a97de5f304207

SHA512
f62e8e9ebb312135513810878f4e20e7279c9de5e9fd902841f7aa8b7450ce89744792a6585dc5012c18db25aaca187de65abfbff7b86b05bd7051b249faf31f

Download Submit
memory/4012-14-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/4012-21-0x0000000024FD0000-0x000000002504E000-memory.dmp

Filesize
504KB

Download
memory/4012-22-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/4012-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4012-45-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/4064-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/4064-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4064-7-0x0000000024FF0000-0x000000002506E000-memory.dmp

Filesize
504KB

Download
memory/4064-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads