186b4267f0dc7c08b9bd74ab6db343469be2287eaab7f04f3117868e06252a9d

Analysis

max time kernel
95s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 12:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0fed858de99d310f42e826063a8cbf0N.exe
Size

3.0MB
MD5

b0fed858de99d310f42e826063a8cbf0
SHA1

9a85ffa2eee2d5e967ad1a35062a60cccf0722de
SHA256

186b4267f0dc7c08b9bd74ab6db343469be2287eaab7f04f3117868e06252a9d
SHA512

fe9a970b4a43fbea7e9961af852e9cbb2e7fe10a724c6962fd9df17d5bfd678728d76b0254bdd4c350ab53bdda19e8cedf7b7ae9640e80eafcfb147c6e1f5a00
SSDEEP

49152:pJ0sYimcakLWqhC2TH5t8NlqMcakLSOXmqOgfBmlxqCicakLWqhC2TH5t8NlqMcl:pJ1YimcakKaC2TZt8NlPcakGB1gZkkCD

Score

7^/10

discovery upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4868	b0fed858de99d310f42e826063a8cbf0N.exe

Executes dropped EXE 1 IoCs

pid	Process
4868	b0fed858de99d310f42e826063a8cbf0N.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4828-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/files/0x00090000000234c6-13.dat	upx
behavioral2/memory/4868-15-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
14	pastebin.com

Program crash 19 IoCs

pid	pid_target	Process	procid_target
232	4868	WerFault.exe	84
1892	4868	WerFault.exe	84
4436	4868	WerFault.exe	84
5080	4868	WerFault.exe	84
3860	4868	WerFault.exe	84
1952	4868	WerFault.exe	84
4944	4868	WerFault.exe	84
1324	4868	WerFault.exe	84
1008	4868	WerFault.exe	84
744	4868	WerFault.exe	84
3668	4868	WerFault.exe	84
904	4868	WerFault.exe	84
1364	4868	WerFault.exe	84
4048	4868	WerFault.exe	84
4384	4868	WerFault.exe	84
1632	4868	WerFault.exe	84
4248	4868	WerFault.exe	84
4996	4868	WerFault.exe	84
1852	4868	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b0fed858de99d310f42e826063a8cbf0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b0fed858de99d310f42e826063a8cbf0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3516	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4828	b0fed858de99d310f42e826063a8cbf0N.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4828	b0fed858de99d310f42e826063a8cbf0N.exe
4868	b0fed858de99d310f42e826063a8cbf0N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 4868	4828	b0fed858de99d310f42e826063a8cbf0N.exe	84
PID 4828 wrote to memory of 4868	4828	b0fed858de99d310f42e826063a8cbf0N.exe	84
PID 4828 wrote to memory of 4868	4828	b0fed858de99d310f42e826063a8cbf0N.exe	84
PID 4868 wrote to memory of 3516	4868	b0fed858de99d310f42e826063a8cbf0N.exe	86
PID 4868 wrote to memory of 3516	4868	b0fed858de99d310f42e826063a8cbf0N.exe	86
PID 4868 wrote to memory of 3516	4868	b0fed858de99d310f42e826063a8cbf0N.exe	86
PID 4868 wrote to memory of 3632	4868	b0fed858de99d310f42e826063a8cbf0N.exe	88
PID 4868 wrote to memory of 3632	4868	b0fed858de99d310f42e826063a8cbf0N.exe	88
PID 4868 wrote to memory of 3632	4868	b0fed858de99d310f42e826063a8cbf0N.exe	88
PID 3632 wrote to memory of 4244	3632	cmd.exe	90
PID 3632 wrote to memory of 4244	3632	cmd.exe	90
PID 3632 wrote to memory of 4244	3632	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\b0fed858de99d310f42e826063a8cbf0N.exe
"C:\Users\Admin\AppData\Local\Temp\b0fed858de99d310f42e826063a8cbf0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Users\Admin\AppData\Local\Temp\b0fed858de99d310f42e826063a8cbf0N.exe
  C:\Users\Admin\AppData\Local\Temp\b0fed858de99d310f42e826063a8cbf0N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\b0fed858de99d310f42e826063a8cbf0N.exe" /TN XTZ9jknb24dd /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3516
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN XTZ9jknb24dd > C:\Users\Admin\AppData\Local\Temp\6A5qL6.xml
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3632
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN XTZ9jknb24dd
      4⤵
      System Location Discovery: System Language Discovery
      PID:4244
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 604
    3⤵
    - Program crash
    PID:232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 648
    3⤵
    - Program crash
    PID:1892
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 656
    3⤵
    - Program crash
    PID:4436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 652
    3⤵
    - Program crash
    PID:5080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 744
    3⤵
    - Program crash
    PID:3860
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 780
    3⤵
    - Program crash
    PID:1952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 1468
    3⤵
    - Program crash
    PID:4944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 1512
    3⤵
    - Program crash
    PID:1324
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 1744
    3⤵
    - Program crash
    PID:1008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 1552
    3⤵
    - Program crash
    PID:744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 1752
    3⤵
    - Program crash
    PID:3668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 1576
    3⤵
    - Program crash
    PID:904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 1504
    3⤵
    - Program crash
    PID:1364
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 1852
    3⤵
    - Program crash
    PID:4048
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 1888
    3⤵
    - Program crash
    PID:4384
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 1892
    3⤵
    - Program crash
    PID:1632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 1928
    3⤵
    - Program crash
    PID:4248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 1864
    3⤵
    - Program crash
    PID:4996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 1544
    3⤵
    - Program crash
    PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4868 -ip 4868
1⤵
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4868 -ip 4868
1⤵
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4868 -ip 4868
1⤵
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4868 -ip 4868
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4868 -ip 4868
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4868 -ip 4868
1⤵
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4868 -ip 4868
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4868 -ip 4868
1⤵
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4868 -ip 4868
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4868 -ip 4868
1⤵
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4868 -ip 4868
1⤵
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4868 -ip 4868
1⤵
PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4868 -ip 4868
1⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4868 -ip 4868
1⤵
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4868 -ip 4868
1⤵
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4868 -ip 4868
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4868 -ip 4868
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4868 -ip 4868
1⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4868 -ip 4868
1⤵
PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6A5qL6.xml

Filesize
1KB

MD5
5b695aef4804ed414d9c3b8f6871c367

SHA1
9b5108cb941e626e3661043a2ce810a83650b5f6

SHA256
9ad3df7ca39552896c7c47d87b2d507f05923de27ba464a5b02b1195abb6585a

SHA512
80bf048728284a8b7e0fb363d656a1dd33cc551de9e94ceecefa698d0b1dacd318e48db769d3efc26ac329308e828a7c3e93431e9063401e686b7a0e023aed4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\b0fed858de99d310f42e826063a8cbf0N.exe

Filesize
3.0MB

MD5
b0925187635ff9db3d65dd4c75b1d2d4

SHA1
64dc65e1086217485b952d70533daa74906f0232

SHA256
c222790f38cb9dc6ed62ae107f1e2282fcb38a4b9936970fedf83373556e8ae0

SHA512
91c120ae1b9a694a905b03c5cbdf4c7043dab23e6d4bfdadc5a652622709c5a283d717f4a961b85745dc63cec520e25b05c0e66df8e446be0f740938e44c7621

Download Submit
memory/4828-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/4828-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4828-7-0x0000000026020000-0x000000002609E000-memory.dmp

Filesize
504KB

Download
memory/4828-14-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4868-15-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/4868-22-0x0000000024FF0000-0x000000002506E000-memory.dmp

Filesize
504KB

Download
memory/4868-23-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/4868-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4868-45-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads