7394093efa830bc304c344d139b70efbeb956f0d623e46b31bef0313b161467f

Analysis

max time kernel
110s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d94eac76af4dcc102c986aa10f8954e0N.exe
Size

6.4MB
MD5

d94eac76af4dcc102c986aa10f8954e0
SHA1

c2d627888aefca58c488c784fddd0f6b8ce36fa8
SHA256

7394093efa830bc304c344d139b70efbeb956f0d623e46b31bef0313b161467f
SHA512

0915826c926ee895bdf0272233e83e43d5545509d88bceb3607533160f0e6eedea68e72af479d60ae2635728f8044d385eeac01759610e396a2bbb9c14c5ddf3
SSDEEP

196608:yulJqq/2dl6E1jWDCdlARVjjdl6E1jWDCdl72mU/dl6E1jWDCdlARVjjdl6E1jWZ:v/d6Ore6O2vUq6Ore6O9

Score

7^/10

discovery upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2096	d94eac76af4dcc102c986aa10f8954e0N.exe

Executes dropped EXE 1 IoCs

pid	Process
2096	d94eac76af4dcc102c986aa10f8954e0N.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4276-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/files/0x00080000000234c3-12.dat	upx
behavioral2/memory/2096-14-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
16	pastebin.com

Program crash 19 IoCs

pid	pid_target	Process	procid_target
2420	2096	WerFault.exe	86
2412	2096	WerFault.exe	86
632	2096	WerFault.exe	86
2036	2096	WerFault.exe	86
4684	2096	WerFault.exe	86
3816	2096	WerFault.exe	86
2168	2096	WerFault.exe	86
4544	2096	WerFault.exe	86
1920	2096	WerFault.exe	86
2200	2096	WerFault.exe	86
4296	2096	WerFault.exe	86
4948	2096	WerFault.exe	86
2976	2096	WerFault.exe	86
4204	2096	WerFault.exe	86
2952	2096	WerFault.exe	86
1236	2096	WerFault.exe	86
1844	2096	WerFault.exe	86
2864	2096	WerFault.exe	86
4544	2096	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d94eac76af4dcc102c986aa10f8954e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d94eac76af4dcc102c986aa10f8954e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4800	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4276	d94eac76af4dcc102c986aa10f8954e0N.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4276	d94eac76af4dcc102c986aa10f8954e0N.exe
2096	d94eac76af4dcc102c986aa10f8954e0N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4276 wrote to memory of 2096	4276	d94eac76af4dcc102c986aa10f8954e0N.exe	86
PID 4276 wrote to memory of 2096	4276	d94eac76af4dcc102c986aa10f8954e0N.exe	86
PID 4276 wrote to memory of 2096	4276	d94eac76af4dcc102c986aa10f8954e0N.exe	86
PID 2096 wrote to memory of 4800	2096	d94eac76af4dcc102c986aa10f8954e0N.exe	87
PID 2096 wrote to memory of 4800	2096	d94eac76af4dcc102c986aa10f8954e0N.exe	87
PID 2096 wrote to memory of 4800	2096	d94eac76af4dcc102c986aa10f8954e0N.exe	87
PID 2096 wrote to memory of 3304	2096	d94eac76af4dcc102c986aa10f8954e0N.exe	90
PID 2096 wrote to memory of 3304	2096	d94eac76af4dcc102c986aa10f8954e0N.exe	90
PID 2096 wrote to memory of 3304	2096	d94eac76af4dcc102c986aa10f8954e0N.exe	90
PID 3304 wrote to memory of 1236	3304	cmd.exe	92
PID 3304 wrote to memory of 1236	3304	cmd.exe	92
PID 3304 wrote to memory of 1236	3304	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\d94eac76af4dcc102c986aa10f8954e0N.exe
"C:\Users\Admin\AppData\Local\Temp\d94eac76af4dcc102c986aa10f8954e0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Users\Admin\AppData\Local\Temp\d94eac76af4dcc102c986aa10f8954e0N.exe
  C:\Users\Admin\AppData\Local\Temp\d94eac76af4dcc102c986aa10f8954e0N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\d94eac76af4dcc102c986aa10f8954e0N.exe" /TN I8mYOnEac625 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4800
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN I8mYOnEac625 > C:\Users\Admin\AppData\Local\Temp\HqyoXYV.xml
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3304
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN I8mYOnEac625
      4⤵
      System Location Discovery: System Language Discovery
      PID:1236
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 616
    3⤵
    - Program crash
    PID:2420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 604
    3⤵
    - Program crash
    PID:2412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 636
    3⤵
    - Program crash
    PID:632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 632
    3⤵
    - Program crash
    PID:2036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 720
    3⤵
    - Program crash
    PID:4684
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 728
    3⤵
    - Program crash
    PID:3816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 1460
    3⤵
    - Program crash
    PID:2168
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 1508
    3⤵
    - Program crash
    PID:4544
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 1744
    3⤵
    - Program crash
    PID:1920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 1528
    3⤵
    - Program crash
    PID:2200
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 1568
    3⤵
    - Program crash
    PID:4296
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 1564
    3⤵
    - Program crash
    PID:4948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 1560
    3⤵
    - Program crash
    PID:2976
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 1516
    3⤵
    - Program crash
    PID:4204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 1516
    3⤵
    - Program crash
    PID:2952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 1700
    3⤵
    - Program crash
    PID:1236
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 1768
    3⤵
    - Program crash
    PID:1844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 1808
    3⤵
    - Program crash
    PID:2864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 1596
    3⤵
    - Program crash
    PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2096 -ip 2096
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2096 -ip 2096
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2096 -ip 2096
1⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2096 -ip 2096
1⤵
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2096 -ip 2096
1⤵
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2096 -ip 2096
1⤵
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2096 -ip 2096
1⤵
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2096 -ip 2096
1⤵
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2096 -ip 2096
1⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2096 -ip 2096
1⤵
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2096 -ip 2096
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2096 -ip 2096
1⤵
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2096 -ip 2096
1⤵
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2096 -ip 2096
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2096 -ip 2096
1⤵
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2096 -ip 2096
1⤵
PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2096 -ip 2096
1⤵
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2096 -ip 2096
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2096 -ip 2096
1⤵
PID:3244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HqyoXYV.xml

Filesize
1KB

MD5
d5ab6a625af199508dc924294a34c094

SHA1
d8fa52a5d4a830e19afcc898ed25ff2907179753

SHA256
98b045d3c2d30d41d3a3ce921de03ee5630124c2bf9a441cc2c69283ccb1b83b

SHA512
e8cee2ae1c6240263c9a35624649d0441b6bb421b51a91b3ec50ec25df9d80cbe0a28891ccd42e7f37ac10a3e025b4f7dcbcb1077f2c9f375b350ca99846496e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d94eac76af4dcc102c986aa10f8954e0N.exe

Filesize
6.4MB

MD5
e7fbea8cecb43832a3248b0ef570a4d5

SHA1
3d34bdf718826c802f47c662c616f94f7aa2885d

SHA256
8575d5672c4422a40218fe3c764e33a2016e2fdc827acb25697a58cdc6d0d87e

SHA512
5611b7d2859ff86bc675a5c336d0553acff6d8ea35a980b896e25c0f1abe777947a7da03fc14b87605b6678e39a933156fa2fe4343e5f431350649fbcd2ac271

Download Submit
memory/2096-14-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2096-21-0x0000000023FE0000-0x000000002405E000-memory.dmp

Filesize
504KB

Download
memory/2096-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2096-22-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2096-44-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/4276-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/4276-7-0x0000000026030000-0x00000000260AE000-memory.dmp

Filesize
504KB

Download
memory/4276-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4276-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads