b7d275b3bd2e9f4c9df27dec4131990cf334241b92157c9b7cb4e1796f132e2a

Analysis

max time kernel
248s
max time network
286s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7d275b3bd2e9f4c9df27dec4131990cf334241b92157c9b7cb4e1796f132e2a.exe
Size

129KB
MD5

f34d6043f68bebe820e7d433afa036f9
SHA1

6799b116086add8a2904a29a834c79b3628ed01b
SHA256

b7d275b3bd2e9f4c9df27dec4131990cf334241b92157c9b7cb4e1796f132e2a
SHA512

0c3b8875bd0ddbb4666dbc5bb77b036cbe89b98553cb8fb0e7d6163b9081851c495bc580311a6d291a2cf4773a39e4bcd4e5182ad04a59d2a036c82adb4597a4
SSDEEP

3072:HTDTqoivk9IkwYURuXSz6MDh9J2dK0+LR+FmwNy6z:zHo7Rp6W70+sFmwo6z

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2640	File1.exe
4352	File2.exe

Program crash 4 IoCs

pid	pid_target	Process	procid_target
808	2640	WerFault.exe	79
3092	4352	WerFault.exe	81
3760	4352	WerFault.exe	81
2220	2640	WerFault.exe	79

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
216	b7d275b3bd2e9f4c9df27dec4131990cf334241b92157c9b7cb4e1796f132e2a.exe
2640	File1.exe
4352	File2.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 2640	216	b7d275b3bd2e9f4c9df27dec4131990cf334241b92157c9b7cb4e1796f132e2a.exe	79
PID 216 wrote to memory of 2640	216	b7d275b3bd2e9f4c9df27dec4131990cf334241b92157c9b7cb4e1796f132e2a.exe	79
PID 216 wrote to memory of 2640	216	b7d275b3bd2e9f4c9df27dec4131990cf334241b92157c9b7cb4e1796f132e2a.exe	79
PID 216 wrote to memory of 4352	216	b7d275b3bd2e9f4c9df27dec4131990cf334241b92157c9b7cb4e1796f132e2a.exe	81
PID 216 wrote to memory of 4352	216	b7d275b3bd2e9f4c9df27dec4131990cf334241b92157c9b7cb4e1796f132e2a.exe	81
PID 216 wrote to memory of 4352	216	b7d275b3bd2e9f4c9df27dec4131990cf334241b92157c9b7cb4e1796f132e2a.exe	81
PID 2640 wrote to memory of 808	2640	File1.exe	85
PID 2640 wrote to memory of 808	2640	File1.exe	85
PID 2640 wrote to memory of 808	2640	File1.exe	85
PID 4352 wrote to memory of 3092	4352	File2.exe	86
PID 4352 wrote to memory of 3092	4352	File2.exe	86
PID 4352 wrote to memory of 3092	4352	File2.exe	86

C:\Users\Admin\AppData\Local\Temp\b7d275b3bd2e9f4c9df27dec4131990cf334241b92157c9b7cb4e1796f132e2a.exe
"C:\Users\Admin\AppData\Local\Temp\b7d275b3bd2e9f4c9df27dec4131990cf334241b92157c9b7cb4e1796f132e2a.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:216
- C:\Users\Admin\AppData\Roaming\File1.exe
  C:\Users\Admin\AppData\Roaming\File1.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 492
    3⤵
    - Program crash
    PID:808
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 492
    3⤵
    - Program crash
    PID:2220
- C:\Users\Admin\AppData\Roaming\File2.exe
  C:\Users\Admin\AppData\Roaming\File2.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 500
    3⤵
    - Program crash
    PID:3092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 500
    3⤵
    - Program crash
    PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4352 -ip 4352
1⤵
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2640 -ip 2640
1⤵
PID:4328

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\File1.exe

Filesize
129KB

MD5
66e8791f95a3955b474e611b992d2b7d

SHA1
98819722dfc903731c2ff9d35541a2988b6a2b72

SHA256
55b46e6e12412c6599920f4f4d2a07147e07fbbe84a4a9e824793c7059844793

SHA512
c125df6250b48ce7a12defe6c0a68d2f70f22aadd2b6ed700f76ada4fda78a8bff8f08bbd14b4681143f56c5d4ef5880998b63022373da7bedaea494f5937322

Download Submit
C:\Users\Admin\AppData\Roaming\File1.exe

Filesize
129KB

MD5
66e8791f95a3955b474e611b992d2b7d

SHA1
98819722dfc903731c2ff9d35541a2988b6a2b72

SHA256
55b46e6e12412c6599920f4f4d2a07147e07fbbe84a4a9e824793c7059844793

SHA512
c125df6250b48ce7a12defe6c0a68d2f70f22aadd2b6ed700f76ada4fda78a8bff8f08bbd14b4681143f56c5d4ef5880998b63022373da7bedaea494f5937322

Download Submit
C:\Users\Admin\AppData\Roaming\File2.exe

Filesize
129KB

MD5
40a07b508c88b6bf4673a915b4460896

SHA1
d839394f2f0259443abea20f8c20063c3e81b470

SHA256
6a91c03971317345ea81d14e3b9a2cb4605f0d29eef8fff571bb0819b3a46d2a

SHA512
eba6916ad3cfe4ed8fa7e835b0d97970a92335a3e587524dd18e3b78fd50a4b9a6c94789b91e9af74b0fa2cf076af8c59f8e6ce7250a9b96501270697d8708bd

Download Submit
C:\Users\Admin\AppData\Roaming\File2.exe

Filesize
129KB

MD5
40a07b508c88b6bf4673a915b4460896

SHA1
d839394f2f0259443abea20f8c20063c3e81b470

SHA256
6a91c03971317345ea81d14e3b9a2cb4605f0d29eef8fff571bb0819b3a46d2a

SHA512
eba6916ad3cfe4ed8fa7e835b0d97970a92335a3e587524dd18e3b78fd50a4b9a6c94789b91e9af74b0fa2cf076af8c59f8e6ce7250a9b96501270697d8708bd

Download Submit
memory/216-134-0x0000000000400000-0x000000000040E001-memory.dmp

Filesize
56KB

Download
memory/216-151-0x0000000000400000-0x000000000040E001-memory.dmp

Filesize
56KB

Download
memory/2640-138-0x0000000000400000-0x000000000040E001-memory.dmp

Filesize
56KB

Download
memory/2640-141-0x0000000000400000-0x000000000040E001-memory.dmp

Filesize
56KB

Download
memory/2640-152-0x0000000000400000-0x000000000040E001-memory.dmp

Filesize
56KB

Download
memory/4352-144-0x0000000000400000-0x000000000040E001-memory.dmp

Filesize
56KB

Download
memory/4352-148-0x0000000000400000-0x000000000040E001-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads