bb4a57263263259534ddd3ff3706a6ab394a9f72374192493f629a012b788640

Analysis

max time kernel
93s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 00:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

899cd2faa361a933cb7f2383706896b0N.exe
Size

1003KB
MD5

899cd2faa361a933cb7f2383706896b0
SHA1

c446d6311577847a69223bbb5dca7d3fed23735c
SHA256

bb4a57263263259534ddd3ff3706a6ab394a9f72374192493f629a012b788640
SHA512

6655b7def7e8c64da61f4d57b680670b0822c62c057c23a17fb677586e5c672882f5cce92ecd6ad6d2c55a40e28863aa4f4836f4d84911d7aa5d48f01dd74e9b
SSDEEP

12288:nNmHdt5wxw1POOCELWFaLZN+M4cwTfr5T/l4hSH9DNo1jMc17VQC03XT4t/AsRUN:kH1hJzXwrVT94h6HhCQEFSP4LBHcesp

Score

7^/10

discovery upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
988	899cd2faa361a933cb7f2383706896b0N.exe

Executes dropped EXE 1 IoCs

pid	Process
988	899cd2faa361a933cb7f2383706896b0N.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2608-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/files/0x0009000000023420-12.dat	upx
behavioral2/memory/988-20-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
11	pastebin.com

Program crash 19 IoCs

pid	pid_target	Process	procid_target
3552	988	WerFault.exe	85
4456	988	WerFault.exe	85
412	988	WerFault.exe	85
3912	988	WerFault.exe	85
760	988	WerFault.exe	85
2264	988	WerFault.exe	85
2900	988	WerFault.exe	85
3596	988	WerFault.exe	85
4932	988	WerFault.exe	85
4448	988	WerFault.exe	85
4840	988	WerFault.exe	85
2132	988	WerFault.exe	85
1520	988	WerFault.exe	85
3024	988	WerFault.exe	85
4596	988	WerFault.exe	85
3600	988	WerFault.exe	85
4360	988	WerFault.exe	85
368	988	WerFault.exe	85
396	988	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	899cd2faa361a933cb7f2383706896b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	899cd2faa361a933cb7f2383706896b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2516	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2608	899cd2faa361a933cb7f2383706896b0N.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2608	899cd2faa361a933cb7f2383706896b0N.exe
988	899cd2faa361a933cb7f2383706896b0N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 988	2608	899cd2faa361a933cb7f2383706896b0N.exe	85
PID 2608 wrote to memory of 988	2608	899cd2faa361a933cb7f2383706896b0N.exe	85
PID 2608 wrote to memory of 988	2608	899cd2faa361a933cb7f2383706896b0N.exe	85
PID 988 wrote to memory of 2516	988	899cd2faa361a933cb7f2383706896b0N.exe	86
PID 988 wrote to memory of 2516	988	899cd2faa361a933cb7f2383706896b0N.exe	86
PID 988 wrote to memory of 2516	988	899cd2faa361a933cb7f2383706896b0N.exe	86
PID 988 wrote to memory of 1916	988	899cd2faa361a933cb7f2383706896b0N.exe	89
PID 988 wrote to memory of 1916	988	899cd2faa361a933cb7f2383706896b0N.exe	89
PID 988 wrote to memory of 1916	988	899cd2faa361a933cb7f2383706896b0N.exe	89
PID 1916 wrote to memory of 4528	1916	cmd.exe	91
PID 1916 wrote to memory of 4528	1916	cmd.exe	91
PID 1916 wrote to memory of 4528	1916	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\899cd2faa361a933cb7f2383706896b0N.exe
"C:\Users\Admin\AppData\Local\Temp\899cd2faa361a933cb7f2383706896b0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Users\Admin\AppData\Local\Temp\899cd2faa361a933cb7f2383706896b0N.exe
  C:\Users\Admin\AppData\Local\Temp\899cd2faa361a933cb7f2383706896b0N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\899cd2faa361a933cb7f2383706896b0N.exe" /TN XTZ9jknb24dd /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN XTZ9jknb24dd > C:\Users\Admin\AppData\Local\Temp\Un2bQ26.xml
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN XTZ9jknb24dd
      4⤵
      System Location Discovery: System Language Discovery
      PID:4528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 604
    3⤵
    - Program crash
    PID:3552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 648
    3⤵
    - Program crash
    PID:4456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 656
    3⤵
    - Program crash
    PID:412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 724
    3⤵
    - Program crash
    PID:3912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 764
    3⤵
    - Program crash
    PID:760
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 752
    3⤵
    - Program crash
    PID:2264
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1456
    3⤵
    - Program crash
    PID:2900
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1524
    3⤵
    - Program crash
    PID:3596
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1744
    3⤵
    - Program crash
    PID:4932
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1696
    3⤵
    - Program crash
    PID:4448
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1512
    3⤵
    - Program crash
    PID:4840
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1752
    3⤵
    - Program crash
    PID:2132
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1528
    3⤵
    - Program crash
    PID:1520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1740
    3⤵
    - Program crash
    PID:3024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1852
    3⤵
    - Program crash
    PID:4596
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1868
    3⤵
    - Program crash
    PID:3600
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1912
    3⤵
    - Program crash
    PID:4360
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1932
    3⤵
    - Program crash
    PID:368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1760
    3⤵
    - Program crash
    PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 988 -ip 988
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 988 -ip 988
1⤵
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 988 -ip 988
1⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 988 -ip 988
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 988 -ip 988
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 988 -ip 988
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 988 -ip 988
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 988 -ip 988
1⤵
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 988 -ip 988
1⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 988 -ip 988
1⤵
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 988 -ip 988
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 988 -ip 988
1⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 988 -ip 988
1⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 988 -ip 988
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 988 -ip 988
1⤵
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 988 -ip 988
1⤵
PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 988 -ip 988
1⤵
PID:2856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 988 -ip 988
1⤵
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 988 -ip 988
1⤵
PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\899cd2faa361a933cb7f2383706896b0N.exe

Filesize
1003KB

MD5
775c6634a5bbd65d57db20e95e93c9c4

SHA1
d7b84e44bddb021db7b3baac7fa97d370b130f4a

SHA256
4b5d9ba7e75e23eaf0214616bc9f852a426163328294e17aeb737e6464f38b9d

SHA512
a436faaac8df9ef860e6e62c8c655f5434154d95459f9897d59bbd422c26ed2bc5e7092f50e991a5dc49cdadf19e320ed7e04a5cad30aeeaf9fd2aaa3cba092f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Un2bQ26.xml

Filesize
1KB

MD5
bb7fc762d8a7adc2a6a1090b861dbabc

SHA1
af21545e72ab649af1112128c50c51e2df0f20ef

SHA256
f0a6e0298afb4d16a32a3e858fbbe2876f7d8d8ea18d3be7a0ac464230a2b407

SHA512
a3ffe48a11bcbe35060654a36dc4b9bd55fe18675bcb16962d488f11235f1f617f1ba271cf768c8fd5a3471d18fc7bf3b1cce63e4137be970b6d87026614b690

Download Submit
memory/988-27-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/988-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/988-20-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/988-26-0x00000000016E0000-0x000000000175E000-memory.dmp

Filesize
504KB

Download
memory/988-44-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2608-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2608-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2608-7-0x0000000001720000-0x000000000179E000-memory.dmp

Filesize
504KB

Download
memory/2608-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads