47844e557aae02b0e21452d42be84573caeac9165ea071693cd6d289b70b6e2f

Analysis

max time kernel
94s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 08:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

47844e557aae02b0e21452d42be84573caeac9165ea071693cd6d289b70b6e2fN.exe
Size

2.8MB
MD5

3b2b45fc92ff48933137dd93f9ca1340
SHA1

602883deb2269a9c07c707e2f65c3d28da764310
SHA256

47844e557aae02b0e21452d42be84573caeac9165ea071693cd6d289b70b6e2f
SHA512

fd8fcae7b2f7872d71b53d7b9232c74b3bf1d5a4c0a2cae3ef4b46d64a6445d64f5b2a3c8c2643aca094087bde91c9f1d78b580710292bb56ff8b3c45f8f10f0
SSDEEP

49152:XoarXH1/0fEWdHJEuMlSVj2BY2b+wKSp8lmQnqyHJEuMlSVj2636rT8lxre+wNJZ:YcXH18fEWdHJEu9Vj2BY2ZKS6lHqyHJA

Score

7^/10

discovery upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2136	47844e557aae02b0e21452d42be84573caeac9165ea071693cd6d289b70b6e2fN.exe

Executes dropped EXE 1 IoCs

pid	Process
2136	47844e557aae02b0e21452d42be84573caeac9165ea071693cd6d289b70b6e2fN.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
13	pastebin.com

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4756-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/memory/2136-14-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/files/0x0008000000023490-12.dat	upx

Program crash 14 IoCs

pid	pid_target	Process	procid_target
964	2136	WerFault.exe	83
3368	2136	WerFault.exe	83
1044	2136	WerFault.exe	83
1604	2136	WerFault.exe	83
5052	2136	WerFault.exe	83
4084	2136	WerFault.exe	83
1272	2136	WerFault.exe	83
3392	2136	WerFault.exe	83
2752	2136	WerFault.exe	83
3780	2136	WerFault.exe	83
4120	2136	WerFault.exe	83
3496	2136	WerFault.exe	83
4916	2136	WerFault.exe	83
4376	2136	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	47844e557aae02b0e21452d42be84573caeac9165ea071693cd6d289b70b6e2fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	47844e557aae02b0e21452d42be84573caeac9165ea071693cd6d289b70b6e2fN.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3740	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4756	47844e557aae02b0e21452d42be84573caeac9165ea071693cd6d289b70b6e2fN.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4756	47844e557aae02b0e21452d42be84573caeac9165ea071693cd6d289b70b6e2fN.exe
2136	47844e557aae02b0e21452d42be84573caeac9165ea071693cd6d289b70b6e2fN.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 2136	4756	47844e557aae02b0e21452d42be84573caeac9165ea071693cd6d289b70b6e2fN.exe	83
PID 4756 wrote to memory of 2136	4756	47844e557aae02b0e21452d42be84573caeac9165ea071693cd6d289b70b6e2fN.exe	83
PID 4756 wrote to memory of 2136	4756	47844e557aae02b0e21452d42be84573caeac9165ea071693cd6d289b70b6e2fN.exe	83
PID 2136 wrote to memory of 3740	2136	47844e557aae02b0e21452d42be84573caeac9165ea071693cd6d289b70b6e2fN.exe	84
PID 2136 wrote to memory of 3740	2136	47844e557aae02b0e21452d42be84573caeac9165ea071693cd6d289b70b6e2fN.exe	84
PID 2136 wrote to memory of 3740	2136	47844e557aae02b0e21452d42be84573caeac9165ea071693cd6d289b70b6e2fN.exe	84
PID 2136 wrote to memory of 4964	2136	47844e557aae02b0e21452d42be84573caeac9165ea071693cd6d289b70b6e2fN.exe	86
PID 2136 wrote to memory of 4964	2136	47844e557aae02b0e21452d42be84573caeac9165ea071693cd6d289b70b6e2fN.exe	86
PID 2136 wrote to memory of 4964	2136	47844e557aae02b0e21452d42be84573caeac9165ea071693cd6d289b70b6e2fN.exe	86
PID 4964 wrote to memory of 3620	4964	cmd.exe	88
PID 4964 wrote to memory of 3620	4964	cmd.exe	88
PID 4964 wrote to memory of 3620	4964	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\47844e557aae02b0e21452d42be84573caeac9165ea071693cd6d289b70b6e2fN.exe
"C:\Users\Admin\AppData\Local\Temp\47844e557aae02b0e21452d42be84573caeac9165ea071693cd6d289b70b6e2fN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Users\Admin\AppData\Local\Temp\47844e557aae02b0e21452d42be84573caeac9165ea071693cd6d289b70b6e2fN.exe
  C:\Users\Admin\AppData\Local\Temp\47844e557aae02b0e21452d42be84573caeac9165ea071693cd6d289b70b6e2fN.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\47844e557aae02b0e21452d42be84573caeac9165ea071693cd6d289b70b6e2fN.exe" /TN MiZnDzuw251a /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3740
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN MiZnDzuw251a > C:\Users\Admin\AppData\Local\Temp\5iX8kPXRT.xml
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN MiZnDzuw251a
      4⤵
      System Location Discovery: System Language Discovery
      PID:3620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 616
    3⤵
    - Program crash
    PID:964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 648
    3⤵
    - Program crash
    PID:3368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 656
    3⤵
    - Program crash
    PID:1044
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 716
    3⤵
    - Program crash
    PID:1604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 744
    3⤵
    - Program crash
    PID:5052
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 804
    3⤵
    - Program crash
    PID:4084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 1392
    3⤵
    - Program crash
    PID:1272
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 1500
    3⤵
    - Program crash
    PID:3392
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 1548
    3⤵
    - Program crash
    PID:2752
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 1588
    3⤵
    - Program crash
    PID:3780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 1748
    3⤵
    - Program crash
    PID:4120
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 1780
    3⤵
    - Program crash
    PID:3496
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 1832
    3⤵
    - Program crash
    PID:4916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 1568
    3⤵
    - Program crash
    PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2136 -ip 2136
1⤵
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2136 -ip 2136
1⤵
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2136 -ip 2136
1⤵
PID:880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2136 -ip 2136
1⤵
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2136 -ip 2136
1⤵
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2136 -ip 2136
1⤵
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2136 -ip 2136
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2136 -ip 2136
1⤵
PID:836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2136 -ip 2136
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2136 -ip 2136
1⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2136 -ip 2136
1⤵
PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2136 -ip 2136
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2136 -ip 2136
1⤵
PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2136 -ip 2136
1⤵
PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\47844e557aae02b0e21452d42be84573caeac9165ea071693cd6d289b70b6e2fN.exe

Filesize
2.8MB

MD5
d8a911063631827a9b503f1c85cea8ec

SHA1
47e0e95949a7a36e477840e7a551b4738cbd2544

SHA256
432afd3ec5bf83b903c05746926f5842b06bed7581067ee574239b9024c5765d

SHA512
5dc4a7097b706c7e28e5df8f5cd02e49c5c2260a65332266e2c9e9f97991b7f1e4bfc2b972c0cc1b5de24ce4c30e390545484f77502136a539e1cf040f70915d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5iX8kPXRT.xml

Filesize
1KB

MD5
7b462292539353091b2ab8792e17d0b7

SHA1
fdaad039af3e5d08bf511dd00e0e614466b5c506

SHA256
52aeec7ee7dc0e4fcd5e57690b5d79bfb2863fd8ab423ee501b5c38c9c04b4b2

SHA512
2d0c0b395b5fea3b3febbb3d392953f9adb1787d646fd3faf6b2296fcf3db0dee148d906c9753adf440e8d1d02b33996e646cbe2a8990447a4970242d2fc28c0

Download Submit
memory/2136-14-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2136-21-0x0000000025060000-0x00000000250DE000-memory.dmp

Filesize
504KB

Download
memory/2136-22-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2136-27-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2136-38-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/4756-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/4756-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4756-6-0x0000000001720000-0x000000000179E000-memory.dmp

Filesize
504KB

Download
memory/4756-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads