894c5326a6a8151dea1efa8ea361e1e7ee6060dd0c011d2a159e279b4c8ecf1b

Analysis

max time kernel
154s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

894c5326a6a8151dea1efa8ea361e1e7ee6060dd0c011d2a159e279b4c8ecf1b.exe
Size

85KB
MD5

61b5d3021283cb81179bde830789ccbc
SHA1

3d8ea71992e33000145df59a20ea501e71b910ca
SHA256

894c5326a6a8151dea1efa8ea361e1e7ee6060dd0c011d2a159e279b4c8ecf1b
SHA512

e6661eee88b92b246133f023f48c0e1a8138931fe8bf7db61ce227f134da47c493e32a8a0cc201c6285231a06de708a031f326f2c036514d098701088c9e9be4
SSDEEP

1536:h9eii5NY0WEPKPHAekKserKp3o2We+nV4P6eVqiaSt/1u/W0RvBdBDRCG9+BVi:Lx0WEPKPHAerx2InV66eVq5SfuZzDoG/

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2920	vp9al5pp.exe
2552	vp9al5pp.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4120 set thread context of 1732	4120	894c5326a6a8151dea1efa8ea361e1e7ee6060dd0c011d2a159e279b4c8ecf1b.exe	81
PID 2920 set thread context of 2552	2920	vp9al5pp.exe	86

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4052	4120	WerFault.exe	80
5052	2920	WerFault.exe	84

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4120 wrote to memory of 1732	4120	894c5326a6a8151dea1efa8ea361e1e7ee6060dd0c011d2a159e279b4c8ecf1b.exe	81
PID 4120 wrote to memory of 1732	4120	894c5326a6a8151dea1efa8ea361e1e7ee6060dd0c011d2a159e279b4c8ecf1b.exe	81
PID 4120 wrote to memory of 1732	4120	894c5326a6a8151dea1efa8ea361e1e7ee6060dd0c011d2a159e279b4c8ecf1b.exe	81
PID 4120 wrote to memory of 1732	4120	894c5326a6a8151dea1efa8ea361e1e7ee6060dd0c011d2a159e279b4c8ecf1b.exe	81
PID 4120 wrote to memory of 1732	4120	894c5326a6a8151dea1efa8ea361e1e7ee6060dd0c011d2a159e279b4c8ecf1b.exe	81
PID 1732 wrote to memory of 2920	1732	894c5326a6a8151dea1efa8ea361e1e7ee6060dd0c011d2a159e279b4c8ecf1b.exe	84
PID 1732 wrote to memory of 2920	1732	894c5326a6a8151dea1efa8ea361e1e7ee6060dd0c011d2a159e279b4c8ecf1b.exe	84
PID 1732 wrote to memory of 2920	1732	894c5326a6a8151dea1efa8ea361e1e7ee6060dd0c011d2a159e279b4c8ecf1b.exe	84
PID 2920 wrote to memory of 2552	2920	vp9al5pp.exe	86
PID 2920 wrote to memory of 2552	2920	vp9al5pp.exe	86
PID 2920 wrote to memory of 2552	2920	vp9al5pp.exe	86
PID 2920 wrote to memory of 2552	2920	vp9al5pp.exe	86
PID 2920 wrote to memory of 2552	2920	vp9al5pp.exe	86

C:\Users\Admin\AppData\Local\Temp\894c5326a6a8151dea1efa8ea361e1e7ee6060dd0c011d2a159e279b4c8ecf1b.exe
"C:\Users\Admin\AppData\Local\Temp\894c5326a6a8151dea1efa8ea361e1e7ee6060dd0c011d2a159e279b4c8ecf1b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Users\Admin\AppData\Local\Temp\894c5326a6a8151dea1efa8ea361e1e7ee6060dd0c011d2a159e279b4c8ecf1b.exe
  C:\Users\Admin\AppData\Local\Temp\894c5326a6a8151dea1efa8ea361e1e7ee6060dd0c011d2a159e279b4c8ecf1b.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Users\Admin\AppData\Roaming\vp9al5pp.exe
    C:\Users\Admin\AppData\Roaming\vp9al5pp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Users\Admin\AppData\Roaming\vp9al5pp.exe
      C:\Users\Admin\AppData\Roaming\vp9al5pp.exe
      4⤵
      Executes dropped EXE
      PID:2552
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 304
      4⤵
      Program crash
      PID:5052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 316
  2⤵
  - Program crash
  PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4120 -ip 4120
1⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2920 -ip 2920
1⤵
PID:4036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\vp9al5pp.exe

Filesize
85KB

MD5
981049be112deb990351c62d6c3d5099

SHA1
e31b9d24e99754ae909ed5ae419d6a5c3e4a2a26

SHA256
794440bb5cb37f149f28964e5c832824e1359629edce51007b77679e6fa5f340

SHA512
6f7ff93288955d53436f7cfb28a35645443ad2686dffa94654453294a64ef98076e62b9bbb1bc79a9693778eb1f564bbda4c1dda3d0e052ccde615572a5f5d67

Download Submit
C:\Users\Admin\AppData\Roaming\vp9al5pp.exe

Filesize
85KB

MD5
981049be112deb990351c62d6c3d5099

SHA1
e31b9d24e99754ae909ed5ae419d6a5c3e4a2a26

SHA256
794440bb5cb37f149f28964e5c832824e1359629edce51007b77679e6fa5f340

SHA512
6f7ff93288955d53436f7cfb28a35645443ad2686dffa94654453294a64ef98076e62b9bbb1bc79a9693778eb1f564bbda4c1dda3d0e052ccde615572a5f5d67

Download Submit
C:\Users\Admin\AppData\Roaming\vp9al5pp.exe

Filesize
85KB

MD5
981049be112deb990351c62d6c3d5099

SHA1
e31b9d24e99754ae909ed5ae419d6a5c3e4a2a26

SHA256
794440bb5cb37f149f28964e5c832824e1359629edce51007b77679e6fa5f340

SHA512
6f7ff93288955d53436f7cfb28a35645443ad2686dffa94654453294a64ef98076e62b9bbb1bc79a9693778eb1f564bbda4c1dda3d0e052ccde615572a5f5d67

Download Submit
memory/1732-138-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1732-137-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1732-140-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1732-136-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2552-146-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2552-147-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2552-148-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2552-149-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads