ceed12c6721d07619be278eafc7fa4c35d4c647694d7db08fd7803f785bd8fb7

Analysis

max time kernel
93s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 10:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
Size

163KB
MD5

e830d4795e7a03e10bb55a96cfc8085a
SHA1

ba5701ada9705c7fe980239539f872266f6b362b
SHA256

3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b
SHA512

18d77795d1c99d67cdf521486c8f6bf64c409df019e8017c9775b40b8517ba2b8c349761aba3f05827e63e9d6584dd68fecc1b96c6ef3353140bfecb554c731f
SSDEEP

3072:KEqeyzjXGszbcjSE2kCwsPQZDgsNqEuRqPTofAZToEE6ooqiq8EpKP1dwLFurHNo:KE5y3GfSEFCNPQZsFRqPdd1E6dqi4pyC

Score

7^/10

discovery upx

Malware Config

Signatures

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2916-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x00020000000229c3-5.dat	upx
behavioral2/memory/2916-2314-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/2916-2317-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/2916-2464-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	\??\c:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File created	\??\c:\Program Files\desktop.ini	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\desktop.ini	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordbi.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\api-ms-win-core-util-l1-1-0.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.TraceSource.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Overlapped.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsBase.resources.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Controls.Ribbon.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClientSideProviders.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\unpack200.exe	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\legal\jdk\xmlresolver.md	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClientSideProviders.resources.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\w2k_lsa_auth.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\wsdetect.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\legal\javafx\webkit.md	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\ipsel.xml	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\Common Files\System\Ole DB\msdasqlr.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Input.Manipulations.resources.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File created	\??\c:\Program Files\Common Files\System\Ole DB\sqloledb.rll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationCore.resources.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\ConvertToLimit.ttc	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\de.pak	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Input.Manipulations.resources.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.DataAnnotations.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\JAWTAccessBridge-64.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File created	\??\c:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.UnmanagedMemoryStream.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encodings.Web.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Mail.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationClient.resources.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansRegular.ttf	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\lcms.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\lib\ext\nashorn.jar	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File created	\??\c:\Program Files\Common Files\System\es-ES\wab32res.dll.mui	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Controls.Ribbon.resources.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.NameResolution.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationCore.resources.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Design.resources.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\legal\javafx\libffi.md	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\Content.xml	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Numerics.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationTypes.resources.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\Microsoft.VisualBasic.Forms.resources.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\vcruntime140_1.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\WindowsBase.resources.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\it.pak	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\ReachFramework.resources.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\ipshi.xml	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\nio.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\lib\management\snmp.acl.template	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\legal\jdk\xalan.md	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zCon.sfx	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.RuntimeInformation.dll	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\include\jvmti.h	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3572	2916	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe

C:\Users\Admin\AppData\Local\Temp\3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe
"C:\Users\Admin\AppData\Local\Temp\3c0e62668297340d7c921f31ff8b93aef4045fd8451e2ed1af51487b4b840a0b.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2916
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 1000
  2⤵
  - Program crash
  PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2916 -ip 2916
1⤵
PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.dll

Filesize
1.9MB

MD5
c84ee071e0abb44cd0b7ac7e58b03dcc

SHA1
bfbf2720a0bcbca94c5b83950c345db95b57c8a3

SHA256
10e1ebcae2d6797cf3c0f324e8104c9cfb721fe10735a092f5df7220109d5c8e

SHA512
6f4a5e1ae119f40f6ebc46a222ef6bd452854b03109df91ff4962add9ff3dce65ce8f56eec14280da9a9c41ca92d69d33b6f6161f3842efae4e8f3543c34badf

Download Submit
C:\Program Files\Java\jre-1.8\bin\jp2ssv.dll

Filesize
5B

MD5
b5b682b742431a52ea8b17c72ad9c572

SHA1
326320f469235708c59f678c9a7357dca552d306

SHA256
30d9045a9f172208b13161d1f5204e5787e5e07bfbb4f490d0041b03b7f44f76

SHA512
4e1bd7cc616b3115baf6be7ebd29fe2d1123bc0f25464865a0cf9207b0344fba70747a5ce6f00e8d9c696881f6db1e12f81736bc748b6f2b60bf84c681a49163

Download Submit
memory/2916-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2916-2314-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2916-2317-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2916-2464-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download