4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5

General

Target

4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe
Size

201KB
MD5

7f6c14418f7e5dd9c105e2fe3c2ebe4f
SHA1

7064226b2316b30b76bbe9c91841600ba6ab3554
SHA256

4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5
SHA512

a70d79a8cfd491f77b1e91efb0b3da009b5d4cc02ebf7ddaff57fa4af94db0c476b72ea5676271c5899f9571e9d7b94514dbe1c626fba24e0f6d271878ba5c48
SSDEEP

1536:WiUDdyis5BP3/Ijy0vt0hkSxDxHs0krH64Osn:Df/IjyBVHs9esn

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe

description	pid	process	target process
PID 1984 set thread context of 1684	1984	4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe	4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

964 1656 WerFault.exe explorer.exe

pid	pid_target	process	target process
964	1656	WerFault.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe

pid	process
1984	4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe
1984	4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exeexplorer.exe

description	pid	process	target process
PID 1984 wrote to memory of 1684	1984	4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe	4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe
PID 1984 wrote to memory of 1684	1984	4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe	4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe
PID 1984 wrote to memory of 1684	1984	4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe	4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe
PID 1984 wrote to memory of 1684	1984	4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe	4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe
PID 1984 wrote to memory of 1684	1984	4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe	4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe
PID 1984 wrote to memory of 1684	1984	4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe	4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe
PID 1984 wrote to memory of 1684	1984	4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe	4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe
PID 1984 wrote to memory of 1684	1984	4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe	4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe
PID 1984 wrote to memory of 1684	1984	4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe	4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe
PID 1984 wrote to memory of 1684	1984	4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe	4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe
PID 1684 wrote to memory of 1656	1684	4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe	explorer.exe
PID 1684 wrote to memory of 1656	1684	4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe	explorer.exe
PID 1684 wrote to memory of 1656	1684	4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe	explorer.exe
PID 1684 wrote to memory of 1656	1684	4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe	explorer.exe
PID 1684 wrote to memory of 1656	1684	4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe	explorer.exe
PID 1684 wrote to memory of 1656	1684	4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe	explorer.exe
PID 1684 wrote to memory of 1656	1684	4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe	explorer.exe
PID 1684 wrote to memory of 1656	1684	4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe	explorer.exe
PID 1684 wrote to memory of 1656	1684	4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe	explorer.exe
PID 1656 wrote to memory of 964	1656	explorer.exe	WerFault.exe
PID 1656 wrote to memory of 964	1656	explorer.exe	WerFault.exe
PID 1656 wrote to memory of 964	1656	explorer.exe	WerFault.exe
PID 1656 wrote to memory of 964	1656	explorer.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe
"C:\Users\Admin\AppData\Local\Temp\4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe
"C:\Users\Admin\AppData\Local\Temp\4e995c4532cbe44e5167d3bf2e011e586bd6fa9e9378471a7d98d8f0029197a5.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 232
4⤵
- Program crash
PID:964

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/964-73-0x0000000000000000-mapping.dmp

Download
memory/1656-68-0x00000000000A0000-0x00000000000A3000-memory.dmp

Filesize
12KB

Download
memory/1656-72-0x0000000074601000-0x0000000074603000-memory.dmp

Filesize
8KB

Download
memory/1656-70-0x0000000000000000-mapping.dmp

Download
memory/1656-66-0x0000000000090000-0x0000000000094000-memory.dmp

Filesize
16KB

Download
memory/1684-61-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1684-62-0x0000000000402750-mapping.dmp

Download
memory/1684-65-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1684-58-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1684-60-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1684-59-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1684-56-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1684-55-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1984-54-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1984-63-0x0000000000330000-0x0000000000335000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads