af20ddd58724506ba85d1ea77901a0ef4ae93a4af80fa85702a0d5363b1bbecd

Analysis

max time kernel
139s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af20ddd58724506ba85d1ea77901a0ef4ae93a4af80fa85702a0d5363b1bbecd.exe
Size

109KB
MD5

ac5d31b8de8fb810312551669843a08b
SHA1

c143e3e655ed4e9955c49c18963b1ba95a224cf8
SHA256

af20ddd58724506ba85d1ea77901a0ef4ae93a4af80fa85702a0d5363b1bbecd
SHA512

ebe5e8f1583959f81513a03644f7b2dd4d5eee3a2ca17fbeae53a8fede613e941130a802165356f213fee8b4b68d2a432f46575958dd72090317f90c2d67f427
SSDEEP

1536:X14pTXxuEPftZYD5sxRP2mW2vgQALz94CPzNV0hUgG/M385tn:X14pTXxuy1KyxRPhWQgQU9pPzNFQG

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4084	4204	WerFault.exe	84

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 984 wrote to memory of 4120	984	af20ddd58724506ba85d1ea77901a0ef4ae93a4af80fa85702a0d5363b1bbecd.exe	80
PID 984 wrote to memory of 4120	984	af20ddd58724506ba85d1ea77901a0ef4ae93a4af80fa85702a0d5363b1bbecd.exe	80
PID 984 wrote to memory of 4120	984	af20ddd58724506ba85d1ea77901a0ef4ae93a4af80fa85702a0d5363b1bbecd.exe	80
PID 4120 wrote to memory of 1732	4120	af20ddd58724506ba85d1ea77901a0ef4ae93a4af80fa85702a0d5363b1bbecd.exe	81
PID 4120 wrote to memory of 1732	4120	af20ddd58724506ba85d1ea77901a0ef4ae93a4af80fa85702a0d5363b1bbecd.exe	81
PID 4120 wrote to memory of 1732	4120	af20ddd58724506ba85d1ea77901a0ef4ae93a4af80fa85702a0d5363b1bbecd.exe	81
PID 1732 wrote to memory of 2176	1732	af20ddd58724506ba85d1ea77901a0ef4ae93a4af80fa85702a0d5363b1bbecd.exe	82
PID 1732 wrote to memory of 2176	1732	af20ddd58724506ba85d1ea77901a0ef4ae93a4af80fa85702a0d5363b1bbecd.exe	82
PID 1732 wrote to memory of 2176	1732	af20ddd58724506ba85d1ea77901a0ef4ae93a4af80fa85702a0d5363b1bbecd.exe	82
PID 2176 wrote to memory of 3736	2176	af20ddd58724506ba85d1ea77901a0ef4ae93a4af80fa85702a0d5363b1bbecd.exe	83
PID 2176 wrote to memory of 3736	2176	af20ddd58724506ba85d1ea77901a0ef4ae93a4af80fa85702a0d5363b1bbecd.exe	83
PID 2176 wrote to memory of 3736	2176	af20ddd58724506ba85d1ea77901a0ef4ae93a4af80fa85702a0d5363b1bbecd.exe	83
PID 3736 wrote to memory of 4204	3736	af20ddd58724506ba85d1ea77901a0ef4ae93a4af80fa85702a0d5363b1bbecd.exe	84
PID 3736 wrote to memory of 4204	3736	af20ddd58724506ba85d1ea77901a0ef4ae93a4af80fa85702a0d5363b1bbecd.exe	84
PID 3736 wrote to memory of 4204	3736	af20ddd58724506ba85d1ea77901a0ef4ae93a4af80fa85702a0d5363b1bbecd.exe	84

C:\Users\Admin\AppData\Local\Temp\af20ddd58724506ba85d1ea77901a0ef4ae93a4af80fa85702a0d5363b1bbecd.exe
"C:\Users\Admin\AppData\Local\Temp\af20ddd58724506ba85d1ea77901a0ef4ae93a4af80fa85702a0d5363b1bbecd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:984
- C:\Users\Admin\AppData\Local\Temp\af20ddd58724506ba85d1ea77901a0ef4ae93a4af80fa85702a0d5363b1bbecd.exe
  1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Users\Admin\AppData\Local\Temp\af20ddd58724506ba85d1ea77901a0ef4ae93a4af80fa85702a0d5363b1bbecd.exe
    2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\af20ddd58724506ba85d1ea77901a0ef4ae93a4af80fa85702a0d5363b1bbecd.exe
      3
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2176
    - - C:\Users\Admin\AppData\Local\Temp\af20ddd58724506ba85d1ea77901a0ef4ae93a4af80fa85702a0d5363b1bbecd.exe
        
        4
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3736
      - C:\Users\Admin\AppData\Local\Temp\af20ddd58724506ba85d1ea77901a0ef4ae93a4af80fa85702a0d5363b1bbecd.exe
        
        5
        6⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 252
        7⤵
        Program crash
        
        PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4204 -ip 4204
1⤵
PID:4052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1732-136-0x0000000000000000-mapping.dmp

Download
memory/2176-137-0x0000000000000000-mapping.dmp

Download
memory/3736-138-0x0000000000000000-mapping.dmp

Download
memory/4120-135-0x0000000000000000-mapping.dmp

Download
memory/4204-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads