77886d3d64b00470dfd36de7389f53e3efe68c3caa863104b2b35b7cf9a01228

Analysis

max time kernel
246s
max time network
336s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77886d3d64b00470dfd36de7389f53e3efe68c3caa863104b2b35b7cf9a01228.exe
Size

2.3MB
MD5

0eb6c0eb0571d66a067efe6586b7c8d5
SHA1

7791b46bf08941f0dfe855fa613b2392e1c3dfd0
SHA256

77886d3d64b00470dfd36de7389f53e3efe68c3caa863104b2b35b7cf9a01228
SHA512

7f552f90adca37d0344c2c03c891b68e9cfb0c7a3e4825c821a387b5f9b07a3fd28162469e743eb8f7b8e34bb027c454a185c21de53c8d15141b404334b51899
SSDEEP

49152:RmNSN0oEK6/aKnmuGRdulJE0QKh4lfMjeZNl2JtPfcw6:RJNafOfRYlG0QKh4lfjk5q

Score

9^/10

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\vdl1ED7.tmp	acprotect
\Users\Admin\AppData\Local\Temp\vdl1ED7.tmp	acprotect

Loads dropped DLL 2 IoCs

Processes:

77886d3d64b00470dfd36de7389f53e3efe68c3caa863104b2b35b7cf9a01228.exeWerFault.exe

pid process

560 77886d3d64b00470dfd36de7389f53e3efe68c3caa863104b2b35b7cf9a01228.exe
1064 WerFault.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1064 560 WerFault.exe 77886d3d64b00470dfd36de7389f53e3efe68c3caa863104b2b35b7cf9a01228.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

77886d3d64b00470dfd36de7389f53e3efe68c3caa863104b2b35b7cf9a01228.exe

pid process

560 77886d3d64b00470dfd36de7389f53e3efe68c3caa863104b2b35b7cf9a01228.exe

pid	process
560	77886d3d64b00470dfd36de7389f53e3efe68c3caa863104b2b35b7cf9a01228.exe
1064	WerFault.exe

pid	pid_target	process	target process
1064	560	WerFault.exe	77886d3d64b00470dfd36de7389f53e3efe68c3caa863104b2b35b7cf9a01228.exe

pid	process
560	77886d3d64b00470dfd36de7389f53e3efe68c3caa863104b2b35b7cf9a01228.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

77886d3d64b00470dfd36de7389f53e3efe68c3caa863104b2b35b7cf9a01228.exe

description	pid	process	target process
PID 560 wrote to memory of 1064	560	77886d3d64b00470dfd36de7389f53e3efe68c3caa863104b2b35b7cf9a01228.exe	WerFault.exe
PID 560 wrote to memory of 1064	560	77886d3d64b00470dfd36de7389f53e3efe68c3caa863104b2b35b7cf9a01228.exe	WerFault.exe
PID 560 wrote to memory of 1064	560	77886d3d64b00470dfd36de7389f53e3efe68c3caa863104b2b35b7cf9a01228.exe	WerFault.exe
PID 560 wrote to memory of 1064	560	77886d3d64b00470dfd36de7389f53e3efe68c3caa863104b2b35b7cf9a01228.exe	WerFault.exe
PID 560 wrote to memory of 1064	560	77886d3d64b00470dfd36de7389f53e3efe68c3caa863104b2b35b7cf9a01228.exe	WerFault.exe
PID 560 wrote to memory of 1064	560	77886d3d64b00470dfd36de7389f53e3efe68c3caa863104b2b35b7cf9a01228.exe	WerFault.exe
PID 560 wrote to memory of 1064	560	77886d3d64b00470dfd36de7389f53e3efe68c3caa863104b2b35b7cf9a01228.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\77886d3d64b00470dfd36de7389f53e3efe68c3caa863104b2b35b7cf9a01228.exe
"C:\Users\Admin\AppData\Local\Temp\77886d3d64b00470dfd36de7389f53e3efe68c3caa863104b2b35b7cf9a01228.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 272
2⤵
- Loads dropped DLL
- Program crash
PID:1064

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\vdl1ED7.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Users\Admin\AppData\Local\Temp\vdl1ED7.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
memory/560-60-0x0000000000950000-0x00000000009C3000-memory.dmp

Filesize
460KB

Download
memory/560-57-0x00000000001C0000-0x0000000000206000-memory.dmp

Filesize
280KB

Download
memory/560-59-0x00000000001C0000-0x0000000000206000-memory.dmp

Filesize
280KB

Download
memory/560-58-0x00000000001C0000-0x0000000000206000-memory.dmp

Filesize
280KB

Download
memory/560-54-0x0000000075C11000-0x0000000075C13000-memory.dmp

Filesize
8KB

Download
memory/560-56-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/560-63-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/560-64-0x00000000001C0000-0x0000000000206000-memory.dmp

Filesize
280KB

Download
memory/560-65-0x00000000001C0000-0x0000000000206000-memory.dmp

Filesize
280KB

Download
memory/560-66-0x00000000001C0000-0x0000000000206000-memory.dmp

Filesize
280KB

Download
memory/560-67-0x0000000000950000-0x00000000009C3000-memory.dmp

Filesize
460KB

Download
memory/1064-61-0x0000000000000000-mapping.dmp

Download