093cc33f34163eb66d24eb57bcf09ac3ee2c2ef9b1ad6c70c8859515b79bcb8f

Analysis

max time kernel
3s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:14

Target

093cc33f34163eb66d24eb57bcf09ac3ee2c2ef9b1ad6c70c8859515b79bcb8f.exe
Size

200KB
MD5

3019f028798ab5ce25e98cdbf3164e41
SHA1

a804816a7d9e5f01adb188af424a535943679653
SHA256

093cc33f34163eb66d24eb57bcf09ac3ee2c2ef9b1ad6c70c8859515b79bcb8f
SHA512

07fa8b4f624fd73714751655225514f12ce8995031afcabfeaf9bdd9118cfbf5a61adaf8f1b32d2a25502dc968c92603987a05b576c0f19f75135f71a328b42d
SSDEEP

6144:YlUjurAGSglR5YxhCaeG3aUaSxhtAPuknL0rR:YnAGSglwxY6x/uuWL+

Score

8^/10

upx

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral1/memory/1228-55-0x0000000000400000-0x000000000043B000-memory.dmp	upx

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

940 1228 WerFault.exe 093cc33f34163eb66d24eb57bcf09ac3ee2c2ef9b1ad6c70c8859515b79bcb8f.exe

pid	pid_target	process	target process
940	1228	WerFault.exe	093cc33f34163eb66d24eb57bcf09ac3ee2c2ef9b1ad6c70c8859515b79bcb8f.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

093cc33f34163eb66d24eb57bcf09ac3ee2c2ef9b1ad6c70c8859515b79bcb8f.exe

description	pid	process	target process
PID 1228 wrote to memory of 940	1228	093cc33f34163eb66d24eb57bcf09ac3ee2c2ef9b1ad6c70c8859515b79bcb8f.exe	WerFault.exe
PID 1228 wrote to memory of 940	1228	093cc33f34163eb66d24eb57bcf09ac3ee2c2ef9b1ad6c70c8859515b79bcb8f.exe	WerFault.exe
PID 1228 wrote to memory of 940	1228	093cc33f34163eb66d24eb57bcf09ac3ee2c2ef9b1ad6c70c8859515b79bcb8f.exe	WerFault.exe
PID 1228 wrote to memory of 940	1228	093cc33f34163eb66d24eb57bcf09ac3ee2c2ef9b1ad6c70c8859515b79bcb8f.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\093cc33f34163eb66d24eb57bcf09ac3ee2c2ef9b1ad6c70c8859515b79bcb8f.exe
"C:\Users\Admin\AppData\Local\Temp\093cc33f34163eb66d24eb57bcf09ac3ee2c2ef9b1ad6c70c8859515b79bcb8f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 44
2⤵
- Program crash
PID:940

memory/940-54-0x0000000000000000-mapping.dmp

Download
memory/1228-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download