9eb949017013295bef0ad248ae7e7e6a1e0c337001da5a5651ee0ab6b7d5d3ba

General

Target

9eb949017013295bef0ad248ae7e7e6a1e0c337001da5a5651ee0ab6b7d5d3ba.exe
Size

93KB
MD5

36fc56a7ce33916a09feb81b5fe52e33
SHA1

92bb52e6c2489f054c87684879ccf49e851d8b2a
SHA256

9eb949017013295bef0ad248ae7e7e6a1e0c337001da5a5651ee0ab6b7d5d3ba
SHA512

9333c97878accaf636dd0dbd4730365fed1132dbd3cfc234f5254b36b5eda17928709163fb76142ecec45db6f0fcf61ed895d00175c5e2056886a3c583ea2950
SSDEEP

1536:UADWm7KxPVuw7JU2epOu0KxAPDcOzU1KVUNv/e71PicueKwBx:U+OHK4cOzUkexeKe

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1212 set thread context of 2004	1212	9eb949017013295bef0ad248ae7e7e6a1e0c337001da5a5651ee0ab6b7d5d3ba.exe	28

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1896	592	WerFault.exe	29

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1212	9eb949017013295bef0ad248ae7e7e6a1e0c337001da5a5651ee0ab6b7d5d3ba.exe
1212	9eb949017013295bef0ad248ae7e7e6a1e0c337001da5a5651ee0ab6b7d5d3ba.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 2004	1212	9eb949017013295bef0ad248ae7e7e6a1e0c337001da5a5651ee0ab6b7d5d3ba.exe	28
PID 1212 wrote to memory of 2004	1212	9eb949017013295bef0ad248ae7e7e6a1e0c337001da5a5651ee0ab6b7d5d3ba.exe	28
PID 1212 wrote to memory of 2004	1212	9eb949017013295bef0ad248ae7e7e6a1e0c337001da5a5651ee0ab6b7d5d3ba.exe	28
PID 1212 wrote to memory of 2004	1212	9eb949017013295bef0ad248ae7e7e6a1e0c337001da5a5651ee0ab6b7d5d3ba.exe	28
PID 1212 wrote to memory of 2004	1212	9eb949017013295bef0ad248ae7e7e6a1e0c337001da5a5651ee0ab6b7d5d3ba.exe	28
PID 1212 wrote to memory of 2004	1212	9eb949017013295bef0ad248ae7e7e6a1e0c337001da5a5651ee0ab6b7d5d3ba.exe	28
PID 1212 wrote to memory of 2004	1212	9eb949017013295bef0ad248ae7e7e6a1e0c337001da5a5651ee0ab6b7d5d3ba.exe	28
PID 1212 wrote to memory of 2004	1212	9eb949017013295bef0ad248ae7e7e6a1e0c337001da5a5651ee0ab6b7d5d3ba.exe	28
PID 1212 wrote to memory of 2004	1212	9eb949017013295bef0ad248ae7e7e6a1e0c337001da5a5651ee0ab6b7d5d3ba.exe	28
PID 1212 wrote to memory of 2004	1212	9eb949017013295bef0ad248ae7e7e6a1e0c337001da5a5651ee0ab6b7d5d3ba.exe	28
PID 2004 wrote to memory of 592	2004	9eb949017013295bef0ad248ae7e7e6a1e0c337001da5a5651ee0ab6b7d5d3ba.exe	29
PID 2004 wrote to memory of 592	2004	9eb949017013295bef0ad248ae7e7e6a1e0c337001da5a5651ee0ab6b7d5d3ba.exe	29
PID 2004 wrote to memory of 592	2004	9eb949017013295bef0ad248ae7e7e6a1e0c337001da5a5651ee0ab6b7d5d3ba.exe	29
PID 2004 wrote to memory of 592	2004	9eb949017013295bef0ad248ae7e7e6a1e0c337001da5a5651ee0ab6b7d5d3ba.exe	29
PID 2004 wrote to memory of 592	2004	9eb949017013295bef0ad248ae7e7e6a1e0c337001da5a5651ee0ab6b7d5d3ba.exe	29
PID 2004 wrote to memory of 592	2004	9eb949017013295bef0ad248ae7e7e6a1e0c337001da5a5651ee0ab6b7d5d3ba.exe	29
PID 2004 wrote to memory of 592	2004	9eb949017013295bef0ad248ae7e7e6a1e0c337001da5a5651ee0ab6b7d5d3ba.exe	29
PID 2004 wrote to memory of 592	2004	9eb949017013295bef0ad248ae7e7e6a1e0c337001da5a5651ee0ab6b7d5d3ba.exe	29
PID 2004 wrote to memory of 592	2004	9eb949017013295bef0ad248ae7e7e6a1e0c337001da5a5651ee0ab6b7d5d3ba.exe	29
PID 592 wrote to memory of 1896	592	explorer.exe	30
PID 592 wrote to memory of 1896	592	explorer.exe	30
PID 592 wrote to memory of 1896	592	explorer.exe	30
PID 592 wrote to memory of 1896	592	explorer.exe	30

C:\Users\Admin\AppData\Local\Temp\9eb949017013295bef0ad248ae7e7e6a1e0c337001da5a5651ee0ab6b7d5d3ba.exe
"C:\Users\Admin\AppData\Local\Temp\9eb949017013295bef0ad248ae7e7e6a1e0c337001da5a5651ee0ab6b7d5d3ba.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\9eb949017013295bef0ad248ae7e7e6a1e0c337001da5a5651ee0ab6b7d5d3ba.exe
  "C:\Users\Admin\AppData\Local\Temp\9eb949017013295bef0ad248ae7e7e6a1e0c337001da5a5651ee0ab6b7d5d3ba.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:592
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 592 -s 232
      4⤵
      Program crash
      PID:1896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/592-72-0x0000000075581000-0x0000000075583000-memory.dmp

Filesize
8KB

Download
memory/592-68-0x00000000000E0000-0x00000000000E3000-memory.dmp

Filesize
12KB

Download
memory/592-66-0x00000000000D0000-0x00000000000D4000-memory.dmp

Filesize
16KB

Download
memory/1212-64-0x0000000000230000-0x0000000000235000-memory.dmp

Filesize
20KB

Download
memory/1212-54-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download
memory/2004-61-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2004-65-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2004-60-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2004-59-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2004-58-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2004-56-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2004-55-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads