c38253f8d773c3b3d9a0ddc6a46464014d2568221cbe8a9fccadeb8a2de303e5

Analysis

max time kernel
43s
max time network
47s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c38253f8d773c3b3d9a0ddc6a46464014d2568221cbe8a9fccadeb8a2de303e5.exe
Size

48KB
MD5

a559acfaa60a579b39ae7fd276ae3d9e
SHA1

e9b679c67fd1b280f8c3e08d51c2f326160c8c5d
SHA256

c38253f8d773c3b3d9a0ddc6a46464014d2568221cbe8a9fccadeb8a2de303e5
SHA512

9ccf11d6a613bc918b2fca794699144049edbf5a8f691268a6861475df51682e6d8956a6e843e8a2a98bfc8f80383805231c6f3b13b183f9245f86795cd0ac03
SSDEEP

768:bQ5hdL6QjWUGmrQZi+LtmtnB7CwgbLaTTIIMdzstb:q2UGdiOt2nBGl+TKdzstb

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

vgtdcg.exe

pid process

1624 vgtdcg.exe
Loads dropped DLL 2 IoCs

Processes:

WerFault.exe

pid process

768 WerFault.exe
768 WerFault.exe

pid	process
1624	vgtdcg.exe

pid	process
768	WerFault.exe
768	WerFault.exe

Drops file in System32 directory 2 IoCs

Processes:

c38253f8d773c3b3d9a0ddc6a46464014d2568221cbe8a9fccadeb8a2de303e5.exe

description	ioc	process
File created	C:\Windows\SysWOW64\vgtdcg.exe	c38253f8d773c3b3d9a0ddc6a46464014d2568221cbe8a9fccadeb8a2de303e5.exe
File opened for modification	C:\Windows\SysWOW64\vgtdcg.exe	c38253f8d773c3b3d9a0ddc6a46464014d2568221cbe8a9fccadeb8a2de303e5.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
1720	1708	WerFault.exe	c38253f8d773c3b3d9a0ddc6a46464014d2568221cbe8a9fccadeb8a2de303e5.exe
768	1624	WerFault.exe	vgtdcg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

c38253f8d773c3b3d9a0ddc6a46464014d2568221cbe8a9fccadeb8a2de303e5.exevgtdcg.exe

pid	process
1708	c38253f8d773c3b3d9a0ddc6a46464014d2568221cbe8a9fccadeb8a2de303e5.exe
1708	c38253f8d773c3b3d9a0ddc6a46464014d2568221cbe8a9fccadeb8a2de303e5.exe
1624	vgtdcg.exe
1624	vgtdcg.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

c38253f8d773c3b3d9a0ddc6a46464014d2568221cbe8a9fccadeb8a2de303e5.exevgtdcg.exe

description	pid	process	target process
PID 1708 wrote to memory of 1720	1708	c38253f8d773c3b3d9a0ddc6a46464014d2568221cbe8a9fccadeb8a2de303e5.exe	WerFault.exe
PID 1708 wrote to memory of 1720	1708	c38253f8d773c3b3d9a0ddc6a46464014d2568221cbe8a9fccadeb8a2de303e5.exe	WerFault.exe
PID 1708 wrote to memory of 1720	1708	c38253f8d773c3b3d9a0ddc6a46464014d2568221cbe8a9fccadeb8a2de303e5.exe	WerFault.exe
PID 1708 wrote to memory of 1720	1708	c38253f8d773c3b3d9a0ddc6a46464014d2568221cbe8a9fccadeb8a2de303e5.exe	WerFault.exe
PID 1624 wrote to memory of 768	1624	vgtdcg.exe	WerFault.exe
PID 1624 wrote to memory of 768	1624	vgtdcg.exe	WerFault.exe
PID 1624 wrote to memory of 768	1624	vgtdcg.exe	WerFault.exe
PID 1624 wrote to memory of 768	1624	vgtdcg.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\c38253f8d773c3b3d9a0ddc6a46464014d2568221cbe8a9fccadeb8a2de303e5.exe
"C:\Users\Admin\AppData\Local\Temp\c38253f8d773c3b3d9a0ddc6a46464014d2568221cbe8a9fccadeb8a2de303e5.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 116
2⤵
- Program crash
PID:1720

C:\Windows\SysWOW64\vgtdcg.exe
C:\Windows\SysWOW64\vgtdcg.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 188
2⤵
- Loads dropped DLL
- Program crash
PID:768

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\vgtdcg.exe
Filesize
48KB

MD5
a559acfaa60a579b39ae7fd276ae3d9e

SHA1
e9b679c67fd1b280f8c3e08d51c2f326160c8c5d

SHA256
c38253f8d773c3b3d9a0ddc6a46464014d2568221cbe8a9fccadeb8a2de303e5

SHA512
9ccf11d6a613bc918b2fca794699144049edbf5a8f691268a6861475df51682e6d8956a6e843e8a2a98bfc8f80383805231c6f3b13b183f9245f86795cd0ac03

Download Submit
\Windows\SysWOW64\vgtdcg.exe
Filesize
48KB

MD5
a559acfaa60a579b39ae7fd276ae3d9e

SHA1
e9b679c67fd1b280f8c3e08d51c2f326160c8c5d

SHA256
c38253f8d773c3b3d9a0ddc6a46464014d2568221cbe8a9fccadeb8a2de303e5

SHA512
9ccf11d6a613bc918b2fca794699144049edbf5a8f691268a6861475df51682e6d8956a6e843e8a2a98bfc8f80383805231c6f3b13b183f9245f86795cd0ac03

Download Submit
\Windows\SysWOW64\vgtdcg.exe
Filesize
48KB

MD5
a559acfaa60a579b39ae7fd276ae3d9e

SHA1
e9b679c67fd1b280f8c3e08d51c2f326160c8c5d

SHA256
c38253f8d773c3b3d9a0ddc6a46464014d2568221cbe8a9fccadeb8a2de303e5

SHA512
9ccf11d6a613bc918b2fca794699144049edbf5a8f691268a6861475df51682e6d8956a6e843e8a2a98bfc8f80383805231c6f3b13b183f9245f86795cd0ac03

Download Submit
memory/768-56-0x0000000000000000-mapping.dmp

Download
memory/1720-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads