Malware Analysis Report

2024-10-24 16:30

Sample ID 220511-c5ybpsgehn
Target 15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c
SHA256 15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c
Tags
hiverat rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c

Threat Level: Known bad

The file 15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c was found to be: Known bad.

Malicious Activity Summary

hiverat rat stealer

HiveRAT

HiveRAT Payload

Executes dropped EXE

Loads dropped DLL

Drops startup file

Suspicious use of SetThreadContext

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-05-11 02:40

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-11 02:40

Reported

2022-05-11 04:03

Platform

win10v2004-20220414-en

Max time kernel

122s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe"

Signatures

HiveRAT

rat stealer hiverat

HiveRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DesktopExplorer.exe C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DesktopExplorer.exe C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5020 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 5020 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 5020 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 5020 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 5020 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 5020 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 5020 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 5020 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 5020 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

Processes

C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

"C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe"

C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

"C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4964 -ip 4964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 764

Network

Country Destination Domain Proto
NL 8.238.24.126:80 tcp
US 93.184.220.29:80 tcp
US 13.89.178.26:443 tcp
BE 67.27.153.254:80 tcp

Files

memory/5020-130-0x0000000000FE0000-0x0000000001078000-memory.dmp

memory/5020-131-0x00000000060D0000-0x0000000006674000-memory.dmp

memory/5020-132-0x0000000005A10000-0x0000000005AA2000-memory.dmp

memory/5020-133-0x0000000005B00000-0x0000000005B0A000-memory.dmp

memory/5020-134-0x0000000006680000-0x000000000671C000-memory.dmp

memory/4964-135-0x0000000000000000-mapping.dmp

memory/4964-136-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

MD5 d21695b6d9bdd7ed0e35a0c70ce38205
SHA1 33522e95507f48e68a981b1097bcbe0354e31c1a
SHA256 15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c
SHA512 0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f

memory/4964-139-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-11 02:40

Reported

2022-05-11 04:03

Platform

win7-20220414-en

Max time kernel

70s

Max time network

42s

Command Line

"C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe"

Signatures

HiveRAT

rat stealer hiverat

HiveRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DesktopExplorer.exe C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DesktopExplorer.exe C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2000 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 2000 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 2000 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 2000 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 2000 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 2000 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 2000 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 2000 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 2000 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 2000 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 2020 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe C:\Windows\SysWOW64\WerFault.exe
PID 2020 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe C:\Windows\SysWOW64\WerFault.exe
PID 2020 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe C:\Windows\SysWOW64\WerFault.exe
PID 2020 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

"C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe"

C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

"C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 532

Network

N/A

Files

memory/2000-54-0x0000000001300000-0x0000000001398000-memory.dmp

memory/2000-55-0x0000000075221000-0x0000000075223000-memory.dmp

memory/2000-56-0x0000000001250000-0x00000000012E2000-memory.dmp

\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

MD5 d21695b6d9bdd7ed0e35a0c70ce38205
SHA1 33522e95507f48e68a981b1097bcbe0354e31c1a
SHA256 15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c
SHA512 0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f

memory/2020-58-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2020-59-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2020-61-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2020-62-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2020-63-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2020-65-0x000000000044CB3E-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

MD5 d21695b6d9bdd7ed0e35a0c70ce38205
SHA1 33522e95507f48e68a981b1097bcbe0354e31c1a
SHA256 15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c
SHA512 0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f

memory/2020-64-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2020-68-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2020-70-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1236-71-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

MD5 d21695b6d9bdd7ed0e35a0c70ce38205
SHA1 33522e95507f48e68a981b1097bcbe0354e31c1a
SHA256 15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c
SHA512 0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f

\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

MD5 d21695b6d9bdd7ed0e35a0c70ce38205
SHA1 33522e95507f48e68a981b1097bcbe0354e31c1a
SHA256 15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c
SHA512 0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f

\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

MD5 d21695b6d9bdd7ed0e35a0c70ce38205
SHA1 33522e95507f48e68a981b1097bcbe0354e31c1a
SHA256 15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c
SHA512 0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f

\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

MD5 d21695b6d9bdd7ed0e35a0c70ce38205
SHA1 33522e95507f48e68a981b1097bcbe0354e31c1a
SHA256 15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c
SHA512 0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f

\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

MD5 d21695b6d9bdd7ed0e35a0c70ce38205
SHA1 33522e95507f48e68a981b1097bcbe0354e31c1a
SHA256 15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c
SHA512 0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f