Analysis Overview
SHA256
ae94e9fc96dc5a4d7f53cd487c0fefd41cbb8d93bf4d29ed105fac83bd68e41c
Threat Level: Known bad
The file 1dc6a4dd8ac552c5bb6aa2f12d83926b.bin was found to be: Known bad.
Malicious Activity Summary
DarkCloud
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-07-22 01:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-22 01:06
Reported
2023-07-22 01:09
Platform
win7-20230712-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\295757477a07e2f8c97054d3293539518781c52206b5deb274f955082d8e7d87.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2136 wrote to memory of 2824 | N/A | C:\Users\Admin\AppData\Local\Temp\295757477a07e2f8c97054d3293539518781c52206b5deb274f955082d8e7d87.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2136 wrote to memory of 2824 | N/A | C:\Users\Admin\AppData\Local\Temp\295757477a07e2f8c97054d3293539518781c52206b5deb274f955082d8e7d87.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2136 wrote to memory of 2824 | N/A | C:\Users\Admin\AppData\Local\Temp\295757477a07e2f8c97054d3293539518781c52206b5deb274f955082d8e7d87.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2136 wrote to memory of 2824 | N/A | C:\Users\Admin\AppData\Local\Temp\295757477a07e2f8c97054d3293539518781c52206b5deb274f955082d8e7d87.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\295757477a07e2f8c97054d3293539518781c52206b5deb274f955082d8e7d87.exe
"C:\Users\Admin\AppData\Local\Temp\295757477a07e2f8c97054d3293539518781c52206b5deb274f955082d8e7d87.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 680
Network
Files
memory/2136-54-0x0000000000010000-0x00000000000FA000-memory.dmp
memory/2136-55-0x00000000741D0000-0x00000000748BE000-memory.dmp
memory/2136-56-0x0000000004C50000-0x0000000004C90000-memory.dmp
memory/2136-57-0x0000000000580000-0x000000000058E000-memory.dmp
memory/2136-58-0x00000000741D0000-0x00000000748BE000-memory.dmp
memory/2136-59-0x0000000004C50000-0x0000000004C90000-memory.dmp
memory/2136-60-0x0000000000620000-0x000000000062A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-22 01:06
Reported
2023-07-22 01:09
Platform
win10v2004-20230703-en
Max time kernel
148s
Max time network
148s
Command Line
Signatures
DarkCloud
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3452 set thread context of 2892 | N/A | C:\Users\Admin\AppData\Local\Temp\295757477a07e2f8c97054d3293539518781c52206b5deb274f955082d8e7d87.exe | C:\Users\Admin\AppData\Local\Temp\295757477a07e2f8c97054d3293539518781c52206b5deb274f955082d8e7d87.exe |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\295757477a07e2f8c97054d3293539518781c52206b5deb274f955082d8e7d87.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\295757477a07e2f8c97054d3293539518781c52206b5deb274f955082d8e7d87.exe
"C:\Users\Admin\AppData\Local\Temp\295757477a07e2f8c97054d3293539518781c52206b5deb274f955082d8e7d87.exe"
C:\Users\Admin\AppData\Local\Temp\295757477a07e2f8c97054d3293539518781c52206b5deb274f955082d8e7d87.exe
"C:\Users\Admin\AppData\Local\Temp\295757477a07e2f8c97054d3293539518781c52206b5deb274f955082d8e7d87.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.141.123.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
memory/3452-134-0x0000000074B70000-0x0000000075320000-memory.dmp
memory/3452-133-0x0000000000C40000-0x0000000000D2A000-memory.dmp
memory/3452-135-0x0000000005B80000-0x0000000006124000-memory.dmp
memory/3452-136-0x0000000005670000-0x0000000005702000-memory.dmp
memory/3452-137-0x0000000005590000-0x00000000055A0000-memory.dmp
memory/3452-138-0x0000000005650000-0x000000000565A000-memory.dmp
memory/3452-139-0x0000000074B70000-0x0000000075320000-memory.dmp
memory/3452-140-0x0000000005590000-0x00000000055A0000-memory.dmp
memory/3452-141-0x000000000B030000-0x000000000B0CC000-memory.dmp
memory/2892-142-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2892-144-0x0000000000400000-0x000000000046D000-memory.dmp
memory/3452-148-0x0000000074B70000-0x0000000075320000-memory.dmp
memory/2892-149-0x0000000000400000-0x000000000046D000-memory.dmp