5574032ab2c7e1c520e7e045d7978eb2ad60862072070c53f533ee1417e0dced

Analysis

max time kernel
96s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8ac696891ef6fa944c0f8c6a15425e0N.exe
Size

3.0MB
MD5

c8ac696891ef6fa944c0f8c6a15425e0
SHA1

5a3e2cfe6729a771cf0958a990ae6b589e091823
SHA256

5574032ab2c7e1c520e7e045d7978eb2ad60862072070c53f533ee1417e0dced
SHA512

d605732de95945f98b3b8ea8711bef4b71e5839e694a76a51524a4484c8da92b43bf0db0dc3e6aafcb4e89e6914b3744735da98c929309d143ebcfcdb1ce15eb
SSDEEP

49152:OnhfBnKqmu4WmycakLVy5dv5sgpkB5+PcakLfqKby/RwkW9qcakLVy5dv5sgpkB/:OnhfBJmhWmycakhy595sgp9cakzqKbyM

Score

7^/10

discovery upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4024	c8ac696891ef6fa944c0f8c6a15425e0N.exe

Executes dropped EXE 1 IoCs

pid	Process
4024	c8ac696891ef6fa944c0f8c6a15425e0N.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3636-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/files/0x00090000000233d6-12.dat	upx
behavioral2/memory/4024-14-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
13	pastebin.com

Program crash 19 IoCs

pid	pid_target	Process	procid_target
1420	4024	WerFault.exe	85
5112	4024	WerFault.exe	85
712	4024	WerFault.exe	85
2924	4024	WerFault.exe	85
1748	4024	WerFault.exe	85
1124	4024	WerFault.exe	85
3192	4024	WerFault.exe	85
2828	4024	WerFault.exe	85
2116	4024	WerFault.exe	85
4064	4024	WerFault.exe	85
4404	4024	WerFault.exe	85
2532	4024	WerFault.exe	85
4948	4024	WerFault.exe	85
3988	4024	WerFault.exe	85
3588	4024	WerFault.exe	85
2444	4024	WerFault.exe	85
1412	4024	WerFault.exe	85
2896	4024	WerFault.exe	85
2536	4024	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8ac696891ef6fa944c0f8c6a15425e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8ac696891ef6fa944c0f8c6a15425e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2140	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3636	c8ac696891ef6fa944c0f8c6a15425e0N.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3636	c8ac696891ef6fa944c0f8c6a15425e0N.exe
4024	c8ac696891ef6fa944c0f8c6a15425e0N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 4024	3636	c8ac696891ef6fa944c0f8c6a15425e0N.exe	85
PID 3636 wrote to memory of 4024	3636	c8ac696891ef6fa944c0f8c6a15425e0N.exe	85
PID 3636 wrote to memory of 4024	3636	c8ac696891ef6fa944c0f8c6a15425e0N.exe	85
PID 4024 wrote to memory of 2140	4024	c8ac696891ef6fa944c0f8c6a15425e0N.exe	87
PID 4024 wrote to memory of 2140	4024	c8ac696891ef6fa944c0f8c6a15425e0N.exe	87
PID 4024 wrote to memory of 2140	4024	c8ac696891ef6fa944c0f8c6a15425e0N.exe	87
PID 4024 wrote to memory of 1788	4024	c8ac696891ef6fa944c0f8c6a15425e0N.exe	89
PID 4024 wrote to memory of 1788	4024	c8ac696891ef6fa944c0f8c6a15425e0N.exe	89
PID 4024 wrote to memory of 1788	4024	c8ac696891ef6fa944c0f8c6a15425e0N.exe	89
PID 1788 wrote to memory of 1348	1788	cmd.exe	91
PID 1788 wrote to memory of 1348	1788	cmd.exe	91
PID 1788 wrote to memory of 1348	1788	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\c8ac696891ef6fa944c0f8c6a15425e0N.exe
"C:\Users\Admin\AppData\Local\Temp\c8ac696891ef6fa944c0f8c6a15425e0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Users\Admin\AppData\Local\Temp\c8ac696891ef6fa944c0f8c6a15425e0N.exe
  C:\Users\Admin\AppData\Local\Temp\c8ac696891ef6fa944c0f8c6a15425e0N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\c8ac696891ef6fa944c0f8c6a15425e0N.exe" /TN I8mYOnEac625 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2140
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN I8mYOnEac625 > C:\Users\Admin\AppData\Local\Temp\LEfHhi0q.xml
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1788
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN I8mYOnEac625
      4⤵
      System Location Discovery: System Language Discovery
      PID:1348
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 604
    3⤵
    - Program crash
    PID:1420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 640
    3⤵
    - Program crash
    PID:5112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 600
    3⤵
    - Program crash
    PID:712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 628
    3⤵
    - Program crash
    PID:2924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 740
    3⤵
    - Program crash
    PID:1748
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 776
    3⤵
    - Program crash
    PID:1124
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 1468
    3⤵
    - Program crash
    PID:3192
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 1532
    3⤵
    - Program crash
    PID:2828
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 1744
    3⤵
    - Program crash
    PID:2116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 1512
    3⤵
    - Program crash
    PID:4064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 1536
    3⤵
    - Program crash
    PID:4404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 1508
    3⤵
    - Program crash
    PID:2532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 1744
    3⤵
    - Program crash
    PID:4948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 1512
    3⤵
    - Program crash
    PID:3988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 1712
    3⤵
    - Program crash
    PID:3588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 1796
    3⤵
    - Program crash
    PID:2444
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 1844
    3⤵
    - Program crash
    PID:1412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 1572
    3⤵
    - Program crash
    PID:2896
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 1588
    3⤵
    - Program crash
    PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4024 -ip 4024
1⤵
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4024 -ip 4024
1⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4024 -ip 4024
1⤵
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4024 -ip 4024
1⤵
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4024 -ip 4024
1⤵
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4024 -ip 4024
1⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4024 -ip 4024
1⤵
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4024 -ip 4024
1⤵
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4024 -ip 4024
1⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4024 -ip 4024
1⤵
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4024 -ip 4024
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4024 -ip 4024
1⤵
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4024 -ip 4024
1⤵
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4024 -ip 4024
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4024 -ip 4024
1⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4024 -ip 4024
1⤵
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4024 -ip 4024
1⤵
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4024 -ip 4024
1⤵
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4024 -ip 4024
1⤵
PID:3240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LEfHhi0q.xml

Filesize
1KB

MD5
9598bc4eaae5061f7eff6d33703adb84

SHA1
2fffc7c435bcedbce715771acbf96269f5baec03

SHA256
21b04b2e18a35325885da9df79b4639558f3a42094a4cd3519007c6ff271d5e4

SHA512
a9386853c3768ceaff44b4474e3c6cea54bf7b9def0f25486a8125e4de79d8deba91b54031bbe857567e2d50f301eb2ad1bf8207799461b45e5af7905e3fecf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8ac696891ef6fa944c0f8c6a15425e0N.exe

Filesize
3.0MB

MD5
cd5e0f5773e64eba3d6d814c1e3bc72a

SHA1
b23871e0947ddb7ccb1e86c43555dfb2e8246573

SHA256
15408a867df2dba90c10dc49532e7e4fd572608fba0e39fc77ef091a334e6f44

SHA512
0a3e281ea272f8ac8c830e7397e15fe8a22c155e0eece8aeb2714d4336b7e5a7235d709b5344728671637db40c95b7a926fa6e132ac57ae173db6b7d24b2911d

Download Submit
memory/3636-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3636-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3636-7-0x0000000001730000-0x00000000017AE000-memory.dmp

Filesize
504KB

Download
memory/3636-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4024-14-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/4024-21-0x0000000025000000-0x000000002507E000-memory.dmp

Filesize
504KB

Download
memory/4024-22-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/4024-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4024-44-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads