7bb49cd80ba13e0d208ae1b6f4498f515851c93eebfad5e321c7c14b7f745a89

Analysis

max time kernel
91s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19/10/2022, 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bb49cd80ba13e0d208ae1b6f4498f515851c93eebfad5e321c7c14b7f745a89.exe
Size

85KB
MD5

916dd7eeb1c42b8a4406da435f52c760
SHA1

c410e8a3d92694670b4798f598da8600b90d572f
SHA256

7bb49cd80ba13e0d208ae1b6f4498f515851c93eebfad5e321c7c14b7f745a89
SHA512

cf677b8c9ddca6e432fc30be4d0d88676b49548f815cf122b3cc9fee9bc390ecbbe53bccd6d214bc7184e4a385bed79000d55375da7ec995d30a8b3c6acf2bce
SSDEEP

1536:N9eii5NY0WEPKPHAekKserKp3o2We+nV4P6eVqiaSt/1u/W0RvBdBDRCG9+BVi:nx0WEPKPHAerx2InV66eVq5SfuZzDoG/

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3028	rtiu1rf.exe
2636	rtiu1rf.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2060 set thread context of 3188	2060	7bb49cd80ba13e0d208ae1b6f4498f515851c93eebfad5e321c7c14b7f745a89.exe	82
PID 3028 set thread context of 2636	3028	rtiu1rf.exe	87

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1964	2060	WerFault.exe	79
1396	3028	WerFault.exe	85

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 3188	2060	7bb49cd80ba13e0d208ae1b6f4498f515851c93eebfad5e321c7c14b7f745a89.exe	82
PID 2060 wrote to memory of 3188	2060	7bb49cd80ba13e0d208ae1b6f4498f515851c93eebfad5e321c7c14b7f745a89.exe	82
PID 2060 wrote to memory of 3188	2060	7bb49cd80ba13e0d208ae1b6f4498f515851c93eebfad5e321c7c14b7f745a89.exe	82
PID 2060 wrote to memory of 3188	2060	7bb49cd80ba13e0d208ae1b6f4498f515851c93eebfad5e321c7c14b7f745a89.exe	82
PID 2060 wrote to memory of 3188	2060	7bb49cd80ba13e0d208ae1b6f4498f515851c93eebfad5e321c7c14b7f745a89.exe	82
PID 3188 wrote to memory of 3028	3188	7bb49cd80ba13e0d208ae1b6f4498f515851c93eebfad5e321c7c14b7f745a89.exe	85
PID 3188 wrote to memory of 3028	3188	7bb49cd80ba13e0d208ae1b6f4498f515851c93eebfad5e321c7c14b7f745a89.exe	85
PID 3188 wrote to memory of 3028	3188	7bb49cd80ba13e0d208ae1b6f4498f515851c93eebfad5e321c7c14b7f745a89.exe	85
PID 3028 wrote to memory of 2636	3028	rtiu1rf.exe	87
PID 3028 wrote to memory of 2636	3028	rtiu1rf.exe	87
PID 3028 wrote to memory of 2636	3028	rtiu1rf.exe	87
PID 3028 wrote to memory of 2636	3028	rtiu1rf.exe	87
PID 3028 wrote to memory of 2636	3028	rtiu1rf.exe	87

C:\Users\Admin\AppData\Local\Temp\7bb49cd80ba13e0d208ae1b6f4498f515851c93eebfad5e321c7c14b7f745a89.exe
"C:\Users\Admin\AppData\Local\Temp\7bb49cd80ba13e0d208ae1b6f4498f515851c93eebfad5e321c7c14b7f745a89.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\7bb49cd80ba13e0d208ae1b6f4498f515851c93eebfad5e321c7c14b7f745a89.exe
  C:\Users\Admin\AppData\Local\Temp\7bb49cd80ba13e0d208ae1b6f4498f515851c93eebfad5e321c7c14b7f745a89.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3188
- - C:\Users\Admin\AppData\Roaming\rtiu1rf.exe
    C:\Users\Admin\AppData\Roaming\rtiu1rf.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Users\Admin\AppData\Roaming\rtiu1rf.exe
      C:\Users\Admin\AppData\Roaming\rtiu1rf.exe
      4⤵
      Executes dropped EXE
      PID:2636
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 304
      4⤵
      Program crash
      PID:1396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 316
  2⤵
  - Program crash
  PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2060 -ip 2060
1⤵
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3028 -ip 3028
1⤵
PID:4296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\rtiu1rf.exe

Filesize
85KB

MD5
728d65a1d7eb833381b7c5fba1d7cc9b

SHA1
aea0de4a4bd40cd8ea61cd30bd7aa9915ccb48a8

SHA256
15ffbdf2e2482336e91ac07c80d700faf9febfbdf1129d84394dff0011a01067

SHA512
3cbf55420cdd0ba3a96ae9b609d7bb056d9cabe64390f6756a92d79cf69c3aa712b16bbfbf37cd57500b1e27e4b84051778bf83f5d8c8c0d0d4f161406e240f2

Download Submit
C:\Users\Admin\AppData\Roaming\rtiu1rf.exe

Filesize
85KB

MD5
728d65a1d7eb833381b7c5fba1d7cc9b

SHA1
aea0de4a4bd40cd8ea61cd30bd7aa9915ccb48a8

SHA256
15ffbdf2e2482336e91ac07c80d700faf9febfbdf1129d84394dff0011a01067

SHA512
3cbf55420cdd0ba3a96ae9b609d7bb056d9cabe64390f6756a92d79cf69c3aa712b16bbfbf37cd57500b1e27e4b84051778bf83f5d8c8c0d0d4f161406e240f2

Download Submit
C:\Users\Admin\AppData\Roaming\rtiu1rf.exe

Filesize
85KB

MD5
728d65a1d7eb833381b7c5fba1d7cc9b

SHA1
aea0de4a4bd40cd8ea61cd30bd7aa9915ccb48a8

SHA256
15ffbdf2e2482336e91ac07c80d700faf9febfbdf1129d84394dff0011a01067

SHA512
3cbf55420cdd0ba3a96ae9b609d7bb056d9cabe64390f6756a92d79cf69c3aa712b16bbfbf37cd57500b1e27e4b84051778bf83f5d8c8c0d0d4f161406e240f2

Download Submit
memory/2636-142-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2636-143-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2636-145-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2636-146-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3188-135-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3188-134-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3188-133-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3188-144-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads