6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac

Analysis

max time kernel
151s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 14:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe
Size

259KB
MD5

448d65ab535c8546853e34771ceb2720
SHA1

7fa47a87eb55611a754ad456c91f75dbe9d725cd
SHA256

6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac
SHA512

8489789a182f639b7ecc959d7fb6e2ed7b01012d98fc18126f41e099a57b4e796885eab6aef63bc7bb314ac635454e15503a4d2edeca55ebfa20b7373d8957d0
SSDEEP

6144:X8s6C9ZgwZSzmuziOkWi1YSioGPIIgzJzUaS8y+Gju8X:D9ZRSzPW/WiMSzUmT6

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1904	6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe.tmp
1616	6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe.tmp.tmp

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a0000000122e9-61.dat	upx
behavioral1/files/0x000a0000000122e9-63.dat	upx
behavioral1/files/0x000a0000000122e9-66.dat	upx
behavioral1/files/0x000a0000000122e9-71.dat	upx
behavioral1/files/0x000a0000000122e9-70.dat	upx
behavioral1/files/0x000a0000000122e9-69.dat	upx
behavioral1/files/0x000a0000000122e9-68.dat	upx
behavioral1/files/0x000a0000000122e9-67.dat	upx
behavioral1/memory/1616-73-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/files/0x000a0000000122e9-74.dat	upx

Loads dropped DLL 10 IoCs

pid	Process
1044	6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe
1044	6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe
1904	6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe.tmp
1520	WerFault.exe
1520	WerFault.exe
1520	WerFault.exe
1520	WerFault.exe
1520	WerFault.exe
1520	WerFault.exe
1520	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1520	1616	WerFault.exe	29

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1044	6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe
1044	6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe
1904	6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe.tmp
1904	6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe.tmp
1044	6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe
1904	6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 1904	1044	6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe	28
PID 1044 wrote to memory of 1904	1044	6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe	28
PID 1044 wrote to memory of 1904	1044	6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe	28
PID 1044 wrote to memory of 1904	1044	6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe	28
PID 1904 wrote to memory of 1616	1904	6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe.tmp	29
PID 1904 wrote to memory of 1616	1904	6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe.tmp	29
PID 1904 wrote to memory of 1616	1904	6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe.tmp	29
PID 1904 wrote to memory of 1616	1904	6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe.tmp	29
PID 1616 wrote to memory of 1520	1616	6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe.tmp.tmp	30
PID 1616 wrote to memory of 1520	1616	6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe.tmp.tmp	30
PID 1616 wrote to memory of 1520	1616	6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe.tmp.tmp	30
PID 1616 wrote to memory of 1520	1616	6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe.tmp.tmp	30

C:\Users\Admin\AppData\Local\Temp\6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe
"C:\Users\Admin\AppData\Local\Temp\6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Users\Admin\AppData\Local\Temp\6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe.tmp
  C:\Users\Admin\AppData\Local\Temp\6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe.tmp
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Users\Admin\AppData\Local\Temp\6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe.tmp.tmp
    C:\Users\Admin\AppData\Local\Temp\6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe.tmp.tmp
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 204
      4⤵
      Loads dropped DLL
      Program crash
      PID:1520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe.tmp

Filesize
227KB

MD5
b904425043779a78e5fe3325f399a1b4

SHA1
9c04b28b7164045d1adf06849888fbf2a7b9b6d7

SHA256
059cb55fe23da8634d10918d01cff8f1a37f3c1e02f2fb5b1040e6be458bab1d

SHA512
a92567a07ea1b9156722a9f9bec72c9157e2d9d7e45dc28c7282e939062dc6d49ac97ef67174ef0217ab6cfacb77f04b61f434b9d0864e3e6dffc788dfd4292f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe.tmp

Filesize
227KB

MD5
b904425043779a78e5fe3325f399a1b4

SHA1
9c04b28b7164045d1adf06849888fbf2a7b9b6d7

SHA256
059cb55fe23da8634d10918d01cff8f1a37f3c1e02f2fb5b1040e6be458bab1d

SHA512
a92567a07ea1b9156722a9f9bec72c9157e2d9d7e45dc28c7282e939062dc6d49ac97ef67174ef0217ab6cfacb77f04b61f434b9d0864e3e6dffc788dfd4292f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe.tmp.tmp

Filesize
195KB

MD5
552a8d5df1fa89768b245e950349ab6f

SHA1
2fe0804f37f0dfa82fd3904c16a8b03a2d1655fa

SHA256
5494405511e0d6c43563621fc7409d5b46cf86dbfd63603117f8b8a93f5c04ac

SHA512
786d7877617536d4afee518e8a9e6b8d389e03681a1a0642a4ea01e49d79ef1e6b7b9f1abe3e812fd9d3f8e302932258322c6065a0b26a1fb9af6dc7972436bf

Download Submit
\Users\Admin\AppData\Local\Temp\6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe.tmp

Filesize
227KB

MD5
b904425043779a78e5fe3325f399a1b4

SHA1
9c04b28b7164045d1adf06849888fbf2a7b9b6d7

SHA256
059cb55fe23da8634d10918d01cff8f1a37f3c1e02f2fb5b1040e6be458bab1d

SHA512
a92567a07ea1b9156722a9f9bec72c9157e2d9d7e45dc28c7282e939062dc6d49ac97ef67174ef0217ab6cfacb77f04b61f434b9d0864e3e6dffc788dfd4292f

Download Submit
\Users\Admin\AppData\Local\Temp\6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe.tmp

Filesize
227KB

MD5
b904425043779a78e5fe3325f399a1b4

SHA1
9c04b28b7164045d1adf06849888fbf2a7b9b6d7

SHA256
059cb55fe23da8634d10918d01cff8f1a37f3c1e02f2fb5b1040e6be458bab1d

SHA512
a92567a07ea1b9156722a9f9bec72c9157e2d9d7e45dc28c7282e939062dc6d49ac97ef67174ef0217ab6cfacb77f04b61f434b9d0864e3e6dffc788dfd4292f

Download Submit
\Users\Admin\AppData\Local\Temp\6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe.tmp.tmp

Filesize
195KB

MD5
552a8d5df1fa89768b245e950349ab6f

SHA1
2fe0804f37f0dfa82fd3904c16a8b03a2d1655fa

SHA256
5494405511e0d6c43563621fc7409d5b46cf86dbfd63603117f8b8a93f5c04ac

SHA512
786d7877617536d4afee518e8a9e6b8d389e03681a1a0642a4ea01e49d79ef1e6b7b9f1abe3e812fd9d3f8e302932258322c6065a0b26a1fb9af6dc7972436bf

Download Submit
\Users\Admin\AppData\Local\Temp\6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe.tmp.tmp

Filesize
195KB

MD5
552a8d5df1fa89768b245e950349ab6f

SHA1
2fe0804f37f0dfa82fd3904c16a8b03a2d1655fa

SHA256
5494405511e0d6c43563621fc7409d5b46cf86dbfd63603117f8b8a93f5c04ac

SHA512
786d7877617536d4afee518e8a9e6b8d389e03681a1a0642a4ea01e49d79ef1e6b7b9f1abe3e812fd9d3f8e302932258322c6065a0b26a1fb9af6dc7972436bf

Download Submit
\Users\Admin\AppData\Local\Temp\6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe.tmp.tmp

Filesize
195KB

MD5
552a8d5df1fa89768b245e950349ab6f

SHA1
2fe0804f37f0dfa82fd3904c16a8b03a2d1655fa

SHA256
5494405511e0d6c43563621fc7409d5b46cf86dbfd63603117f8b8a93f5c04ac

SHA512
786d7877617536d4afee518e8a9e6b8d389e03681a1a0642a4ea01e49d79ef1e6b7b9f1abe3e812fd9d3f8e302932258322c6065a0b26a1fb9af6dc7972436bf

Download Submit
\Users\Admin\AppData\Local\Temp\6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe.tmp.tmp

Filesize
195KB

MD5
552a8d5df1fa89768b245e950349ab6f

SHA1
2fe0804f37f0dfa82fd3904c16a8b03a2d1655fa

SHA256
5494405511e0d6c43563621fc7409d5b46cf86dbfd63603117f8b8a93f5c04ac

SHA512
786d7877617536d4afee518e8a9e6b8d389e03681a1a0642a4ea01e49d79ef1e6b7b9f1abe3e812fd9d3f8e302932258322c6065a0b26a1fb9af6dc7972436bf

Download Submit
\Users\Admin\AppData\Local\Temp\6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe.tmp.tmp

Filesize
195KB

MD5
552a8d5df1fa89768b245e950349ab6f

SHA1
2fe0804f37f0dfa82fd3904c16a8b03a2d1655fa

SHA256
5494405511e0d6c43563621fc7409d5b46cf86dbfd63603117f8b8a93f5c04ac

SHA512
786d7877617536d4afee518e8a9e6b8d389e03681a1a0642a4ea01e49d79ef1e6b7b9f1abe3e812fd9d3f8e302932258322c6065a0b26a1fb9af6dc7972436bf

Download Submit
\Users\Admin\AppData\Local\Temp\6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe.tmp.tmp

Filesize
195KB

MD5
552a8d5df1fa89768b245e950349ab6f

SHA1
2fe0804f37f0dfa82fd3904c16a8b03a2d1655fa

SHA256
5494405511e0d6c43563621fc7409d5b46cf86dbfd63603117f8b8a93f5c04ac

SHA512
786d7877617536d4afee518e8a9e6b8d389e03681a1a0642a4ea01e49d79ef1e6b7b9f1abe3e812fd9d3f8e302932258322c6065a0b26a1fb9af6dc7972436bf

Download Submit
\Users\Admin\AppData\Local\Temp\6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe.tmp.tmp

Filesize
195KB

MD5
552a8d5df1fa89768b245e950349ab6f

SHA1
2fe0804f37f0dfa82fd3904c16a8b03a2d1655fa

SHA256
5494405511e0d6c43563621fc7409d5b46cf86dbfd63603117f8b8a93f5c04ac

SHA512
786d7877617536d4afee518e8a9e6b8d389e03681a1a0642a4ea01e49d79ef1e6b7b9f1abe3e812fd9d3f8e302932258322c6065a0b26a1fb9af6dc7972436bf

Download Submit
\Users\Admin\AppData\Local\Temp\6462b2b5d3f59f0a34b69ebbe039d9f96f847d781b2ec4431699d5fc178685ac.exe.tmp.tmp

Filesize
195KB

MD5
552a8d5df1fa89768b245e950349ab6f

SHA1
2fe0804f37f0dfa82fd3904c16a8b03a2d1655fa

SHA256
5494405511e0d6c43563621fc7409d5b46cf86dbfd63603117f8b8a93f5c04ac

SHA512
786d7877617536d4afee518e8a9e6b8d389e03681a1a0642a4ea01e49d79ef1e6b7b9f1abe3e812fd9d3f8e302932258322c6065a0b26a1fb9af6dc7972436bf

Download Submit
memory/1044-54-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download
memory/1616-73-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1904-72-0x0000000000350000-0x00000000003DC000-memory.dmp

Filesize
560KB

Download
memory/1904-75-0x0000000000350000-0x00000000003DC000-memory.dmp

Filesize
560KB

Download