35f20c8ae6e9990812b6ccf20321af32662bcf76d8c27a800f086255911bfb6b

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 05:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

teur4.exe
Size

615KB
MD5

b3e46b8cbe83d0e6002173c37e8436a7
SHA1

de994b98fac3f9499ee15c3ccf859ef05db14b62
SHA256

35f20c8ae6e9990812b6ccf20321af32662bcf76d8c27a800f086255911bfb6b
SHA512

5f9a07740d76c9407160029655a9b66a50e136b63abd071c79106d2339b6951c28397f441cec7c99d968706ed7bd4e01288459bf22e0489fca646eccf0dc57f8
SSDEEP

12288:3Ui+Sybja8AwVReTD7oB++4clgVY3fYNKfPTksjUTyKJrVSo5flO9dJu:3KSybm8AaRiE+wy2PYNCQIWVd5cw

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3512	teur4.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4448-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/files/0x000a000000023438-12.dat	upx
behavioral2/memory/3512-13-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
14	pastebin.com

Program crash 20 IoCs

pid	pid_target	Process	procid_target
3372	3512	WerFault.exe	84
960	3512	WerFault.exe	84
3456	3512	WerFault.exe	84
2280	3512	WerFault.exe	84
3304	3512	WerFault.exe	84
3424	3512	WerFault.exe	84
4724	3512	WerFault.exe	84
3100	3512	WerFault.exe	84
3720	3512	WerFault.exe	84
2460	3512	WerFault.exe	84
3080	3512	WerFault.exe	84
1956	3512	WerFault.exe	84
3840	3512	WerFault.exe	84
1652	3512	WerFault.exe	84
4744	3512	WerFault.exe	84
1832	3512	WerFault.exe	84
2712	3512	WerFault.exe	84
1020	3512	WerFault.exe	84
1460	3512	WerFault.exe	84
2848	3512	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	teur4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	teur4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1976	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4448	teur4.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4448	teur4.exe
3512	teur4.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 3512	4448	teur4.exe	84
PID 4448 wrote to memory of 3512	4448	teur4.exe	84
PID 4448 wrote to memory of 3512	4448	teur4.exe	84
PID 3512 wrote to memory of 1976	3512	teur4.exe	86
PID 3512 wrote to memory of 1976	3512	teur4.exe	86
PID 3512 wrote to memory of 1976	3512	teur4.exe	86
PID 3512 wrote to memory of 3108	3512	teur4.exe	88
PID 3512 wrote to memory of 3108	3512	teur4.exe	88
PID 3512 wrote to memory of 3108	3512	teur4.exe	88
PID 3108 wrote to memory of 2468	3108	cmd.exe	90
PID 3108 wrote to memory of 2468	3108	cmd.exe	90
PID 3108 wrote to memory of 2468	3108	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\teur4.exe
"C:\Users\Admin\AppData\Local\Temp\teur4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Users\Admin\AppData\Local\Temp\teur4.exe
  C:\Users\Admin\AppData\Local\Temp\teur4.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\teur4.exe" /TN aKYcHkR9d823 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN aKYcHkR9d823 > C:\Users\Admin\AppData\Local\Temp\GaGKE.xml
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3108
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN aKYcHkR9d823
      4⤵
      System Location Discovery: System Language Discovery
      PID:2468
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 616
    3⤵
    - Program crash
    PID:3372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 660
    3⤵
    - Program crash
    PID:960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 668
    3⤵
    - Program crash
    PID:3456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 664
    3⤵
    - Program crash
    PID:2280
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 724
    3⤵
    - Program crash
    PID:3304
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 780
    3⤵
    - Program crash
    PID:3424
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 1468
    3⤵
    - Program crash
    PID:4724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 1468
    3⤵
    - Program crash
    PID:3100
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 1744
    3⤵
    - Program crash
    PID:3720
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 1524
    3⤵
    - Program crash
    PID:2460
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 1540
    3⤵
    - Program crash
    PID:3080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 1592
    3⤵
    - Program crash
    PID:1956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 1500
    3⤵
    - Program crash
    PID:3840
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 1468
    3⤵
    - Program crash
    PID:1652
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 1796
    3⤵
    - Program crash
    PID:4744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 1196
    3⤵
    - Program crash
    PID:1832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 1800
    3⤵
    - Program crash
    PID:2712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 1560
    3⤵
    - Program crash
    PID:1020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 1532
    3⤵
    - Program crash
    PID:1460
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 656
    3⤵
    - Program crash
    PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3512 -ip 3512
1⤵
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3512 -ip 3512
1⤵
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3512 -ip 3512
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3512 -ip 3512
1⤵
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3512 -ip 3512
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3512 -ip 3512
1⤵
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3512 -ip 3512
1⤵
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3512 -ip 3512
1⤵
PID:1052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3512 -ip 3512
1⤵
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3512 -ip 3512
1⤵
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3512 -ip 3512
1⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3512 -ip 3512
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3512 -ip 3512
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3512 -ip 3512
1⤵
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3512 -ip 3512
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3512 -ip 3512
1⤵
PID:984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3512 -ip 3512
1⤵
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3512 -ip 3512
1⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3512 -ip 3512
1⤵
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3512 -ip 3512
1⤵
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GaGKE.xml

Filesize
1KB

MD5
b4e4fc90657dadf75708e80cf4c2c29f

SHA1
03ad864826ad6b5a0fb5ca513553b8ca6cfc467d

SHA256
c12a69413657af39f4b1d2474ea522fad4c15e2e2b96abb47da0bf97da8577c1

SHA512
a06fb6af81a6d52a8be60708fcc3f49d5d93ffb9f845fadef797185d8b805f450f7e67cf456a9a3ec3e066946c172e25243ff7b2768d4d1d5810ba9e6b18eccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\teur4.exe

Filesize
615KB

MD5
9f26a9328cef0e6f3cdedf4a1b0ecbba

SHA1
ad48196ac38a5c1743afa45abdf84cbf56b1d8d0

SHA256
ea09c5aac8792cb0314a557180d370c84a9e6ae87be1ae3d08f98dd076701452

SHA512
5249763858f2866bbf404bd6a0088ea0c717a37a29afcbd0b4dcaf92f53358589b8ed0be1ad8102c51638ee5b2cb2a1aba5fb73a337a7deed8bc250d625b0d6f

Download Submit
memory/3512-13-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3512-21-0x00000000016D0000-0x000000000174E000-memory.dmp

Filesize
504KB

Download
memory/3512-22-0x00000000004B0000-0x000000000051B000-memory.dmp

Filesize
428KB

Download
memory/3512-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3512-44-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/4448-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/4448-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4448-7-0x0000000025040000-0x00000000250BE000-memory.dmp

Filesize
504KB

Download
memory/4448-14-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads