12d7d5a2a3c4063d94fd782ee7fbf4d5c52750b40ca1bc185d28a126664a0b3a

Analysis

Target

soa.exe
Size

461KB
MD5

12d57069130c72bacbe0687b79d633e8
SHA1

5dd72d6f4361861559721e161414e2355dacefe9
SHA256

d887251ccd6c44329798ec262da14733ab9573b28ef725e31834d8b79e9f840d
SHA512

d6320b3362140a7105917626443ae52e7cbcbcde4ef9cc7be0af82c977509009ebfdf0c3b99a5455f4387a87ea5d6c1363eecaf026033d9cc0d5565981763410

Score

10^/10

coreentity rezer0

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

Processes:

resource	yara_rule
behavioral1/memory/1044-57-0x0000000000510000-0x0000000000518000-memory.dmp	coreentity

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

Processes:

resource	yara_rule
behavioral1/memory/1044-58-0x0000000007610000-0x0000000007666000-memory.dmp	rezer0

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2016 1044 WerFault.exe soa.exe

pid	pid_target	process	target process
2016	1044	WerFault.exe	soa.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

soa.exe

description	pid	process	target process
PID 1044 wrote to memory of 2016	1044	soa.exe	WerFault.exe
PID 1044 wrote to memory of 2016	1044	soa.exe	WerFault.exe
PID 1044 wrote to memory of 2016	1044	soa.exe	WerFault.exe
PID 1044 wrote to memory of 2016	1044	soa.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\soa.exe
"C:\Users\Admin\AppData\Local\Temp\soa.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 692
2⤵
- Program crash
PID:2016

memory/1044-54-0x0000000000F80000-0x0000000000FFA000-memory.dmp

Filesize
488KB

Download
memory/1044-55-0x0000000006C60000-0x0000000006CC4000-memory.dmp

Filesize
400KB

Download
memory/1044-56-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1044-57-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/1044-58-0x0000000007610000-0x0000000007666000-memory.dmp

Filesize
344KB

Download
memory/2016-59-0x0000000000000000-mapping.dmp

Download