d05448ab0b58b69216296687d2d2ff732eb6d7cbbcae6ae163d0f38df2e91bfe

Analysis

max time kernel
103s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ee16b8e3356a6c2c154e76c53b07880N.exe
Size

6.2MB
MD5

5ee16b8e3356a6c2c154e76c53b07880
SHA1

792b312d9e4a3b9da1678f38ac11f3caf7289d17
SHA256

d05448ab0b58b69216296687d2d2ff732eb6d7cbbcae6ae163d0f38df2e91bfe
SHA512

191e232cd02718b74301cdb175ba304b73e29483c81071285065791b088c3190bf4fad191ca096faa4d4e5cf4457450c30e0ea6d969e2677da906b5042f4eabf
SSDEEP

196608:pRe3xJjJ8dbNrdNkEtkldbNrdqkmINfbdbNrdNkEtkldbNrdM:7e37dINz9tINkkff1Nz9tINu

Score

7^/10

discovery upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
404	5ee16b8e3356a6c2c154e76c53b07880N.exe

Executes dropped EXE 1 IoCs

pid	Process
404	5ee16b8e3356a6c2c154e76c53b07880N.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4408-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/files/0x000a0000000234f4-12.dat	upx
behavioral2/memory/404-14-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
21	pastebin.com

Program crash 17 IoCs

pid	pid_target	Process	procid_target
1600	404	WerFault.exe	86
1820	404	WerFault.exe	86
1512	404	WerFault.exe	86
3540	404	WerFault.exe	86
2436	404	WerFault.exe	86
1408	404	WerFault.exe	86
1504	404	WerFault.exe	86
532	404	WerFault.exe	86
4084	404	WerFault.exe	86
4760	404	WerFault.exe	86
3232	404	WerFault.exe	86
1268	404	WerFault.exe	86
2108	404	WerFault.exe	86
2240	404	WerFault.exe	86
4680	404	WerFault.exe	86
4864	404	WerFault.exe	86
1232	404	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5ee16b8e3356a6c2c154e76c53b07880N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5ee16b8e3356a6c2c154e76c53b07880N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1676	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4408	5ee16b8e3356a6c2c154e76c53b07880N.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4408	5ee16b8e3356a6c2c154e76c53b07880N.exe
404	5ee16b8e3356a6c2c154e76c53b07880N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 404	4408	5ee16b8e3356a6c2c154e76c53b07880N.exe	86
PID 4408 wrote to memory of 404	4408	5ee16b8e3356a6c2c154e76c53b07880N.exe	86
PID 4408 wrote to memory of 404	4408	5ee16b8e3356a6c2c154e76c53b07880N.exe	86
PID 404 wrote to memory of 1676	404	5ee16b8e3356a6c2c154e76c53b07880N.exe	88
PID 404 wrote to memory of 1676	404	5ee16b8e3356a6c2c154e76c53b07880N.exe	88
PID 404 wrote to memory of 1676	404	5ee16b8e3356a6c2c154e76c53b07880N.exe	88
PID 404 wrote to memory of 1564	404	5ee16b8e3356a6c2c154e76c53b07880N.exe	90
PID 404 wrote to memory of 1564	404	5ee16b8e3356a6c2c154e76c53b07880N.exe	90
PID 404 wrote to memory of 1564	404	5ee16b8e3356a6c2c154e76c53b07880N.exe	90
PID 1564 wrote to memory of 1900	1564	cmd.exe	92
PID 1564 wrote to memory of 1900	1564	cmd.exe	92
PID 1564 wrote to memory of 1900	1564	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\5ee16b8e3356a6c2c154e76c53b07880N.exe
"C:\Users\Admin\AppData\Local\Temp\5ee16b8e3356a6c2c154e76c53b07880N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Users\Admin\AppData\Local\Temp\5ee16b8e3356a6c2c154e76c53b07880N.exe
  C:\Users\Admin\AppData\Local\Temp\5ee16b8e3356a6c2c154e76c53b07880N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\5ee16b8e3356a6c2c154e76c53b07880N.exe" /TN 4k6UDcnU35b0 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN 4k6UDcnU35b0 > C:\Users\Admin\AppData\Local\Temp\eLJ5mo.xml
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN 4k6UDcnU35b0
      4⤵
      System Location Discovery: System Language Discovery
      PID:1900
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 604
    3⤵
    - Program crash
    PID:1600
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 648
    3⤵
    - Program crash
    PID:1820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 656
    3⤵
    - Program crash
    PID:1512
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 720
    3⤵
    - Program crash
    PID:3540
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 740
    3⤵
    - Program crash
    PID:2436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 820
    3⤵
    - Program crash
    PID:1408
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 1472
    3⤵
    - Program crash
    PID:1504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 1516
    3⤵
    - Program crash
    PID:532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 1724
    3⤵
    - Program crash
    PID:4084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 1536
    3⤵
    - Program crash
    PID:4760
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 1596
    3⤵
    - Program crash
    PID:3232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 1584
    3⤵
    - Program crash
    PID:1268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 1508
    3⤵
    - Program crash
    PID:2108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 1752
    3⤵
    - Program crash
    PID:2240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 1600
    3⤵
    - Program crash
    PID:4680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 1824
    3⤵
    - Program crash
    PID:4864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 1752
    3⤵
    - Program crash
    PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 404 -ip 404
1⤵
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 404 -ip 404
1⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 404 -ip 404
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 404 -ip 404
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 404 -ip 404
1⤵
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 404 -ip 404
1⤵
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 404 -ip 404
1⤵
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 404 -ip 404
1⤵
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 404 -ip 404
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 404 -ip 404
1⤵
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 404 -ip 404
1⤵
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 404 -ip 404
1⤵
PID:1148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 404 -ip 404
1⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 404 -ip 404
1⤵
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 404 -ip 404
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 404 -ip 404
1⤵
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 404 -ip 404
1⤵
PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5ee16b8e3356a6c2c154e76c53b07880N.exe

Filesize
6.2MB

MD5
c27e59320eb31db2bc4896f7595bcb4c

SHA1
ab2c5521188f695d1a95ac248a64a376e59afd23

SHA256
8be6df48b56bc3e312a237c89853f3160d081fd2fe83c146ea99e815a7d6a702

SHA512
d3d39c1a41585446b017c8d4a191689bd8e74d08438b7cbb2cb9a987d5bd9787bc4f226db8fdff3528dc26a861f145388b52e27993779a777f65248fb41f0858

Download Submit
C:\Users\Admin\AppData\Local\Temp\eLJ5mo.xml

Filesize
1KB

MD5
54e0c358d3ad6aea0ca7d6e78386fdba

SHA1
57737dbe976d81d51d0ba9d4373ddf61ee45876a

SHA256
0197ea3441621ee12e2de8e88b5b1f4f2f63d27e569094def0fd5cef623f84f3

SHA512
b1a7a7c7fa476632a8920316c2df3f54e8ab4971062838a02c14453d876d2270b4a5f4c1b47fcb50e044cf1c1921f0bf8fcdc9d5422577f38910a40aabe11aac

Download Submit
memory/404-14-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/404-21-0x0000000025040000-0x00000000250BE000-memory.dmp

Filesize
504KB

Download
memory/404-22-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/404-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/404-44-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/4408-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/4408-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4408-7-0x0000000025030000-0x00000000250AE000-memory.dmp

Filesize
504KB

Download
memory/4408-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads