d586a3e4da158fcd3843f50b59caeafe208d770922c665bdabed007a9ef83cdc

Analysis

max time kernel
171s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 17:05

Target

d586a3e4da158fcd3843f50b59caeafe208d770922c665bdabed007a9ef83cdc.exe
Size

523KB
MD5

447e6bbe593e938286009d7277fd4e20
SHA1

35f9c56a57125bbb37942119ddfce10e00a32ed1
SHA256

d586a3e4da158fcd3843f50b59caeafe208d770922c665bdabed007a9ef83cdc
SHA512

30b8da45aa338be9a99f95d66fd9b5dbeb95f61f0718c7eaf0bfc04753ff54a5b3ca8de81f36c98e69eb5ca2fed4e3ae2e6c245b97afbf199598cdb2706f8b3b
SSDEEP

12288:Fy48WEX0PAaDvdx8ZKEg2hyeJxVGeDQpgQgtf2LJVO7Lz:FynqIwdxcbg2h0Yv2K3z

Score

8^/10

upx

Executes dropped EXE 1 IoCs

Processes:

d586a3e4da158fcd3843f50b59caeafe208d770922c665bdabed007a9ef83cdcmgr.exe

pid process

4788 d586a3e4da158fcd3843f50b59caeafe208d770922c665bdabed007a9ef83cdcmgr.exe

pid	process
4788	d586a3e4da158fcd3843f50b59caeafe208d770922c665bdabed007a9ef83cdcmgr.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\d586a3e4da158fcd3843f50b59caeafe208d770922c665bdabed007a9ef83cdcmgr.exe	upx
C:\Users\Admin\AppData\Local\Temp\d586a3e4da158fcd3843f50b59caeafe208d770922c665bdabed007a9ef83cdcmgr.exe	upx
behavioral2/memory/4788-136-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral2/memory/4788-137-0x0000000000400000-0x0000000000461000-memory.dmp	upx

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3952	3152	WerFault.exe	d586a3e4da158fcd3843f50b59caeafe208d770922c665bdabed007a9ef83cdc.exe
4260	3152	WerFault.exe	d586a3e4da158fcd3843f50b59caeafe208d770922c665bdabed007a9ef83cdc.exe
8	4788	WerFault.exe	d586a3e4da158fcd3843f50b59caeafe208d770922c665bdabed007a9ef83cdcmgr.exe
2088	3152	WerFault.exe	d586a3e4da158fcd3843f50b59caeafe208d770922c665bdabed007a9ef83cdc.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

d586a3e4da158fcd3843f50b59caeafe208d770922c665bdabed007a9ef83cdc.exe

description	pid	process	target process
PID 3152 wrote to memory of 4788	3152	d586a3e4da158fcd3843f50b59caeafe208d770922c665bdabed007a9ef83cdc.exe	d586a3e4da158fcd3843f50b59caeafe208d770922c665bdabed007a9ef83cdcmgr.exe
PID 3152 wrote to memory of 4788	3152	d586a3e4da158fcd3843f50b59caeafe208d770922c665bdabed007a9ef83cdc.exe	d586a3e4da158fcd3843f50b59caeafe208d770922c665bdabed007a9ef83cdcmgr.exe
PID 3152 wrote to memory of 4788	3152	d586a3e4da158fcd3843f50b59caeafe208d770922c665bdabed007a9ef83cdc.exe	d586a3e4da158fcd3843f50b59caeafe208d770922c665bdabed007a9ef83cdcmgr.exe

C:\Users\Admin\AppData\Local\Temp\d586a3e4da158fcd3843f50b59caeafe208d770922c665bdabed007a9ef83cdc.exe
"C:\Users\Admin\AppData\Local\Temp\d586a3e4da158fcd3843f50b59caeafe208d770922c665bdabed007a9ef83cdc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 476
2⤵
- Program crash
PID:3952

C:\Users\Admin\AppData\Local\Temp\d586a3e4da158fcd3843f50b59caeafe208d770922c665bdabed007a9ef83cdcmgr.exe
C:\Users\Admin\AppData\Local\Temp\d586a3e4da158fcd3843f50b59caeafe208d770922c665bdabed007a9ef83cdcmgr.exe
2⤵
- Executes dropped EXE
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 260
3⤵
- Program crash
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 472
2⤵
- Program crash
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 480
2⤵
- Program crash
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 3152 -ip 3152
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3152 -ip 3152
1⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4788 -ip 4788
1⤵
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3152 -ip 3152
1⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\d586a3e4da158fcd3843f50b59caeafe208d770922c665bdabed007a9ef83cdcmgr.exe
Filesize
155KB

MD5
60b4a01f8e198b8857f674ca6a809d75

SHA1
6b9667a5210cf76d730e4305ebc5417187009d2a

SHA256
6e9f1ec2429a8bedf6a886d97a22d4fc37cec011f697fd6368d5ebb3b5b01071

SHA512
b7045cc893bccfe3cc7881c42ad903dc23962702c24e7c797071a68a7463b27822a3b77a82fd5ed1c939f12fe4f1ff944c9a436097f96bf2ca00732595236744

Download Submit
C:\Users\Admin\AppData\Local\Temp\d586a3e4da158fcd3843f50b59caeafe208d770922c665bdabed007a9ef83cdcmgr.exe
Filesize
155KB

MD5
60b4a01f8e198b8857f674ca6a809d75

SHA1
6b9667a5210cf76d730e4305ebc5417187009d2a

SHA256
6e9f1ec2429a8bedf6a886d97a22d4fc37cec011f697fd6368d5ebb3b5b01071

SHA512
b7045cc893bccfe3cc7881c42ad903dc23962702c24e7c797071a68a7463b27822a3b77a82fd5ed1c939f12fe4f1ff944c9a436097f96bf2ca00732595236744

Download Submit
memory/3152-132-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3152-138-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/4788-133-0x0000000000000000-mapping.dmp

Download
memory/4788-136-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4788-137-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download