Analysis
-
max time kernel
105s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24/08/2024, 15:12
Behavioral task
behavioral1
Sample
a41ffdb8ddb5e27c1ad6478d7559f240N.exe
Resource
win7-20240708-en
General
-
Target
a41ffdb8ddb5e27c1ad6478d7559f240N.exe
-
Size
1.0MB
-
MD5
a41ffdb8ddb5e27c1ad6478d7559f240
-
SHA1
f83e04929f3988a3aefc8ac40a8a6a72f83ade97
-
SHA256
eedc4ce191851f845f671e469ad056868d7fd07f7fe853697bff1d1f62b95056
-
SHA512
9a07541981ed54376f202ad1ec0f82d0da4717b01e8cb678165d98b51d73a5731b84bca457458f32c6a52ab1c0688b99050e39da3f3f2d6b69427b808029842b
-
SSDEEP
24576:+A/uXLA5A3c1KdYS+f7vlK13BHUZ50zqLQyow3CqCzt:J/u7A5A3c1KSf7dK11Ur0wQyow3Cpzt
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2852 a41ffdb8ddb5e27c1ad6478d7559f240N.exe -
Executes dropped EXE 1 IoCs
pid Process 2852 a41ffdb8ddb5e27c1ad6478d7559f240N.exe -
resource yara_rule behavioral2/memory/1740-0-0x0000000000400000-0x000000000065C000-memory.dmp upx behavioral2/files/0x00090000000233fb-12.dat upx behavioral2/memory/2852-14-0x0000000000400000-0x000000000065C000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 14 pastebin.com -
Program crash 5 IoCs
pid pid_target Process procid_target 2076 2852 WerFault.exe 85 3960 2852 WerFault.exe 85 4936 2852 WerFault.exe 85 704 2852 WerFault.exe 85 3796 2852 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a41ffdb8ddb5e27c1ad6478d7559f240N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a41ffdb8ddb5e27c1ad6478d7559f240N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2044 schtasks.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1740 a41ffdb8ddb5e27c1ad6478d7559f240N.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1740 a41ffdb8ddb5e27c1ad6478d7559f240N.exe 2852 a41ffdb8ddb5e27c1ad6478d7559f240N.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1740 wrote to memory of 2852 1740 a41ffdb8ddb5e27c1ad6478d7559f240N.exe 85 PID 1740 wrote to memory of 2852 1740 a41ffdb8ddb5e27c1ad6478d7559f240N.exe 85 PID 1740 wrote to memory of 2852 1740 a41ffdb8ddb5e27c1ad6478d7559f240N.exe 85 PID 2852 wrote to memory of 2044 2852 a41ffdb8ddb5e27c1ad6478d7559f240N.exe 86 PID 2852 wrote to memory of 2044 2852 a41ffdb8ddb5e27c1ad6478d7559f240N.exe 86 PID 2852 wrote to memory of 2044 2852 a41ffdb8ddb5e27c1ad6478d7559f240N.exe 86 PID 2852 wrote to memory of 2224 2852 a41ffdb8ddb5e27c1ad6478d7559f240N.exe 88 PID 2852 wrote to memory of 2224 2852 a41ffdb8ddb5e27c1ad6478d7559f240N.exe 88 PID 2852 wrote to memory of 2224 2852 a41ffdb8ddb5e27c1ad6478d7559f240N.exe 88 PID 2224 wrote to memory of 3492 2224 cmd.exe 91 PID 2224 wrote to memory of 3492 2224 cmd.exe 91 PID 2224 wrote to memory of 3492 2224 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\a41ffdb8ddb5e27c1ad6478d7559f240N.exe"C:\Users\Admin\AppData\Local\Temp\a41ffdb8ddb5e27c1ad6478d7559f240N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\a41ffdb8ddb5e27c1ad6478d7559f240N.exeC:\Users\Admin\AppData\Local\Temp\a41ffdb8ddb5e27c1ad6478d7559f240N.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\a41ffdb8ddb5e27c1ad6478d7559f240N.exe" /TN n3TzfEYb35ee /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2044
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c schtasks.exe /Query /XML /TN n3TzfEYb35ee > C:\Users\Admin\AppData\Local\Temp\f77ukS.xml3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Query /XML /TN n3TzfEYb35ee4⤵
- System Location Discovery: System Language Discovery
PID:3492
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 6163⤵
- Program crash
PID:2076
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 6363⤵
- Program crash
PID:3960
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 6443⤵
- Program crash
PID:4936
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 7243⤵
- Program crash
PID:704
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 7443⤵
- Program crash
PID:3796
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2852 -ip 28521⤵PID:1536
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2852 -ip 28521⤵PID:2024
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2852 -ip 28521⤵PID:2556
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2852 -ip 28521⤵PID:4440
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2852 -ip 28521⤵PID:892
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5d67004e4589c6f078036cdee5c9a3708
SHA1fe8927c1da2951b87ccc5edf08992a520f961fe7
SHA256058f586030b3ec1243cd4462108815db18e9adf72a98bd8fec7a06d1b72231a0
SHA512f60345adc99c182bd6bc289f1001a68f05263673aa751f4962d240bbcfbb1788d4188c63e6422d95173d9622b2c6c35c4de19184ead23b9fe920683a3741c8c3
-
Filesize
1KB
MD57ce109082006bfddd9af80ef15344fb1
SHA15388351cbef591dc245fd93cf70296bc4cc916b7
SHA25666048860ad0e58984b59be776c6050951e53c40f93a272ed2067197b77fc6dd1
SHA512420a3acf1c940d44ee7e352b471ba8d620074c063a26d35489ceabbdaddb33f47d9cc6d6892f2425764cc9573bea92d42b876898d0b50da92ee76e598955742f