6889ca5384c023d597e9cfcdbb95693eab9b4fab32766cf540a6fe30a2aae635

Analysis

max time kernel
91s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 06:33

Target

6889ca5384c023d597e9cfcdbb95693eab9b4fab32766cf540a6fe30a2aae635.exe
Size

562KB
MD5

23502889515ce617d32e986fa2c6c8c0
SHA1

71684971fb62acaf60faf7c57d27aa87def3c105
SHA256

6889ca5384c023d597e9cfcdbb95693eab9b4fab32766cf540a6fe30a2aae635
SHA512

892bcdf9c246c07dcb2005ba654f3d4b45e92d30d2753d12e4c1bdd3ecc713ccc688ee5b6ad7a1d108b0d9f557d4158b8a0822315cb1b96e1317fe9aa18bce51
SSDEEP

12288:bng4ghh1RmQVnVGwPCMsKhCqx/6JwLqhe:zg4gP1BVrmKvAeLqk

Score

3^/10

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4708	1080	WerFault.exe	77
2248	4904	WerFault.exe	81
4692	4048	WerFault.exe	82

Suspicious use of UnmapMainImage 3 IoCs

pid	Process
1080	6889ca5384c023d597e9cfcdbb95693eab9b4fab32766cf540a6fe30a2aae635.exe
4904	6889ca5384c023d597e9cfcdbb95693eab9b4fab32766cf540a6fe30a2aae635.exe
4048	6889ca5384c023d597e9cfcdbb95693eab9b4fab32766cf540a6fe30a2aae635.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 4904	1080	6889ca5384c023d597e9cfcdbb95693eab9b4fab32766cf540a6fe30a2aae635.exe	81
PID 1080 wrote to memory of 4904	1080	6889ca5384c023d597e9cfcdbb95693eab9b4fab32766cf540a6fe30a2aae635.exe	81
PID 1080 wrote to memory of 4904	1080	6889ca5384c023d597e9cfcdbb95693eab9b4fab32766cf540a6fe30a2aae635.exe	81
PID 1080 wrote to memory of 4048	1080	6889ca5384c023d597e9cfcdbb95693eab9b4fab32766cf540a6fe30a2aae635.exe	82
PID 1080 wrote to memory of 4048	1080	6889ca5384c023d597e9cfcdbb95693eab9b4fab32766cf540a6fe30a2aae635.exe	82
PID 1080 wrote to memory of 4048	1080	6889ca5384c023d597e9cfcdbb95693eab9b4fab32766cf540a6fe30a2aae635.exe	82

C:\Users\Admin\AppData\Local\Temp\6889ca5384c023d597e9cfcdbb95693eab9b4fab32766cf540a6fe30a2aae635.exe
"C:\Users\Admin\AppData\Local\Temp\6889ca5384c023d597e9cfcdbb95693eab9b4fab32766cf540a6fe30a2aae635.exe"
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 608
  2⤵
  - Program crash
  PID:4708
- C:\Users\Admin\AppData\Local\Temp\6889ca5384c023d597e9cfcdbb95693eab9b4fab32766cf540a6fe30a2aae635.exe
  start
  2⤵
  - Suspicious use of UnmapMainImage
  PID:4904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 560
    3⤵
    - Program crash
    PID:2248
- C:\Users\Admin\AppData\Local\Temp\6889ca5384c023d597e9cfcdbb95693eab9b4fab32766cf540a6fe30a2aae635.exe
  watch
  2⤵
  - Suspicious use of UnmapMainImage
  PID:4048
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 564
    3⤵
    - Program crash
    PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1080 -ip 1080
1⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4904 -ip 4904
1⤵
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4048 -ip 4048
1⤵
PID:1196

memory/1080-132-0x00000000020A0000-0x00000000020BF000-memory.dmp

Filesize
124KB

Download
memory/1080-133-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1080-136-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4048-138-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4048-140-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4904-137-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4904-139-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download