Analysis
-
max time kernel
260s -
max time network
293s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
16/01/2023, 13:29
Static task
static1
Behavioral task
behavioral1
Sample
77d29818be0d01c38545baa0bd4551c6853c224b.exe
Resource
win7-20220901-en
23 signatures
150 seconds
Behavioral task
behavioral2
Sample
77d29818be0d01c38545baa0bd4551c6853c224b.exe
Resource
win10v2004-20221111-en
4 signatures
150 seconds
General
-
Target
77d29818be0d01c38545baa0bd4551c6853c224b.exe
-
Size
365KB
-
MD5
343adbd49e24d1bdec30f634f4055da8
-
SHA1
77d29818be0d01c38545baa0bd4551c6853c224b
-
SHA256
404c51dbba49787d8c3d9cde78efc1a5eb0d9f139c0c6b130438870a0ecc244c
-
SHA512
4c6831539aef807c7cb4875306e5fecc06b769924e0a1f80a5316f194a5235ec9e904c932b3ec4021e7ef2237bc2dba3db47a8a1cb20244c67c9fa1e6d88298f
-
SSDEEP
6144:SVjDF2Bp0G3LkjLsvBrL0+ecB4X0Y37cWI+HLq11aWBLXAO1DAjWbc:SRDF2BpjLQLsvBP0+ecyEY37C8P
Score
7/10
Malware Config
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3444 set thread context of 3812 3444 77d29818be0d01c38545baa0bd4551c6853c224b.exe 80 -
Program crash 2 IoCs
pid pid_target Process procid_target 2708 3812 WerFault.exe 80 4396 3444 WerFault.exe 77 -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3444 wrote to memory of 2160 3444 77d29818be0d01c38545baa0bd4551c6853c224b.exe 79 PID 3444 wrote to memory of 2160 3444 77d29818be0d01c38545baa0bd4551c6853c224b.exe 79 PID 3444 wrote to memory of 2160 3444 77d29818be0d01c38545baa0bd4551c6853c224b.exe 79 PID 3444 wrote to memory of 3812 3444 77d29818be0d01c38545baa0bd4551c6853c224b.exe 80 PID 3444 wrote to memory of 3812 3444 77d29818be0d01c38545baa0bd4551c6853c224b.exe 80 PID 3444 wrote to memory of 3812 3444 77d29818be0d01c38545baa0bd4551c6853c224b.exe 80 PID 3444 wrote to memory of 3812 3444 77d29818be0d01c38545baa0bd4551c6853c224b.exe 80 PID 3444 wrote to memory of 3812 3444 77d29818be0d01c38545baa0bd4551c6853c224b.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\77d29818be0d01c38545baa0bd4551c6853c224b.exe"C:\Users\Admin\AppData\Local\Temp\77d29818be0d01c38545baa0bd4551c6853c224b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:2160
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:3812
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 1443⤵
- Program crash
PID:2708
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 3082⤵
- Program crash
PID:4396
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3812 -ip 38121⤵PID:4540
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3444 -ip 34441⤵PID:4536