Analysis Overview
SHA256
57922942046462a3cbb1e5b1c6eb7f836eb8aeb69907385dc1371050ec1d0aee
Threat Level: Shows suspicious behavior
The file 57922942046462a3cbb1e5b1c6eb7f836eb8aeb69907385dc1371050ec1d0aee was found to be: Shows suspicious behavior.
Malicious Activity Summary
VMProtect packed file
Obfuscated with Agile.Net obfuscator
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-04-05 07:56
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-05 07:56
Reported
2023-04-05 07:59
Platform
win7-20230220-en
Max time kernel
29s
Max time network
34s
Command Line
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a0c64497d91a1176f91723beabe68fd5521a32a2531664ac5cbb02ff9abad8b4.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1412 wrote to memory of 1900 | N/A | C:\Users\Admin\AppData\Local\Temp\a0c64497d91a1176f91723beabe68fd5521a32a2531664ac5cbb02ff9abad8b4.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1412 wrote to memory of 1900 | N/A | C:\Users\Admin\AppData\Local\Temp\a0c64497d91a1176f91723beabe68fd5521a32a2531664ac5cbb02ff9abad8b4.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1412 wrote to memory of 1900 | N/A | C:\Users\Admin\AppData\Local\Temp\a0c64497d91a1176f91723beabe68fd5521a32a2531664ac5cbb02ff9abad8b4.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1412 wrote to memory of 1900 | N/A | C:\Users\Admin\AppData\Local\Temp\a0c64497d91a1176f91723beabe68fd5521a32a2531664ac5cbb02ff9abad8b4.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a0c64497d91a1176f91723beabe68fd5521a32a2531664ac5cbb02ff9abad8b4.exe
"C:\Users\Admin\AppData\Local\Temp\a0c64497d91a1176f91723beabe68fd5521a32a2531664ac5cbb02ff9abad8b4.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 1020
Network
Files
memory/1412-54-0x0000000000CC0000-0x0000000001CAE000-memory.dmp
memory/1412-55-0x000000000A550000-0x000000000A590000-memory.dmp
memory/1412-56-0x00000000003A0000-0x00000000003A1000-memory.dmp
memory/1412-57-0x000000000A770000-0x000000000AB60000-memory.dmp
memory/1412-58-0x000000000AB60000-0x000000000ADAE000-memory.dmp
memory/1412-59-0x00000000006C0000-0x000000000070E000-memory.dmp
memory/1412-60-0x0000000005E70000-0x0000000005FBA000-memory.dmp
memory/1412-61-0x0000000000630000-0x0000000000660000-memory.dmp
memory/1412-62-0x00000000062A0000-0x00000000063B6000-memory.dmp
memory/1412-63-0x000000000A550000-0x000000000A590000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-04-05 07:56
Reported
2023-04-05 07:59
Platform
win10v2004-20230221-en
Max time kernel
74s
Max time network
123s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a0c64497d91a1176f91723beabe68fd5521a32a2531664ac5cbb02ff9abad8b4.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a0c64497d91a1176f91723beabe68fd5521a32a2531664ac5cbb02ff9abad8b4.exe
"C:\Users\Admin\AppData\Local\Temp\a0c64497d91a1176f91723beabe68fd5521a32a2531664ac5cbb02ff9abad8b4.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4156 -ip 4156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 1624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 20.42.65.90:443 | tcp | |
| US | 8.8.8.8:53 | 45.8.109.52.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 117.18.237.29:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 173.223.113.164:443 | tcp |
Files
memory/4156-133-0x00000000003A0000-0x000000000138E000-memory.dmp
memory/4156-134-0x000000000AEF0000-0x000000000B494000-memory.dmp
memory/4156-135-0x000000000A340000-0x000000000A350000-memory.dmp
memory/4156-137-0x000000000A9E0000-0x000000000AA72000-memory.dmp
memory/4156-136-0x0000000005800000-0x0000000005801000-memory.dmp
memory/4156-138-0x000000000A990000-0x000000000A99A000-memory.dmp