c5d18806589281e12cf121f89da8ba214864c41f1184139dab65a554b5bdcf71

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12-09-2023 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a4b8de180154e727ad791d23739588c3d5a4d01a54cd8f661e6e8adb80e8cec.exe
Size

1.4MB
MD5

48347144a1a642784cceb33a54c25776
SHA1

eb0d5cb61df4afecf8a4d0781df444bdc5bfa324
SHA256

0a4b8de180154e727ad791d23739588c3d5a4d01a54cd8f661e6e8adb80e8cec
SHA512

a252ef28475800c3920df7cc1b19414d617f33ad2459d7b28a71c1ce710ce3b842f1ac891a1abd4212fb8d489950be0cf12194febb61a43dedc1499b39fd262f
SSDEEP

24576:TWFkfGnbsRP7HBESGXtD+oSd/mAftIBvjEyV5Jvo5CmFfUsRb991lvqmtFNp:OkubspHBESGXKmSiBvwyVjAXfRPqmFX

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

0a4b8de180154e727ad791d23739588c3d5a4d01a54cd8f661e6e8adb80e8cec.exe

description	pid	process	target process
PID 2468 set thread context of 2884	2468	0a4b8de180154e727ad791d23739588c3d5a4d01a54cd8f661e6e8adb80e8cec.exe	AppLaunch.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1140 2884 WerFault.exe AppLaunch.exe

pid	pid_target	process	target process
1140	2884	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

0a4b8de180154e727ad791d23739588c3d5a4d01a54cd8f661e6e8adb80e8cec.exeAppLaunch.exe

description	pid	process	target process
PID 2468 wrote to memory of 2884	2468	0a4b8de180154e727ad791d23739588c3d5a4d01a54cd8f661e6e8adb80e8cec.exe	AppLaunch.exe
PID 2468 wrote to memory of 2884	2468	0a4b8de180154e727ad791d23739588c3d5a4d01a54cd8f661e6e8adb80e8cec.exe	AppLaunch.exe
PID 2468 wrote to memory of 2884	2468	0a4b8de180154e727ad791d23739588c3d5a4d01a54cd8f661e6e8adb80e8cec.exe	AppLaunch.exe
PID 2468 wrote to memory of 2884	2468	0a4b8de180154e727ad791d23739588c3d5a4d01a54cd8f661e6e8adb80e8cec.exe	AppLaunch.exe
PID 2468 wrote to memory of 2884	2468	0a4b8de180154e727ad791d23739588c3d5a4d01a54cd8f661e6e8adb80e8cec.exe	AppLaunch.exe
PID 2468 wrote to memory of 2884	2468	0a4b8de180154e727ad791d23739588c3d5a4d01a54cd8f661e6e8adb80e8cec.exe	AppLaunch.exe
PID 2468 wrote to memory of 2884	2468	0a4b8de180154e727ad791d23739588c3d5a4d01a54cd8f661e6e8adb80e8cec.exe	AppLaunch.exe
PID 2468 wrote to memory of 2884	2468	0a4b8de180154e727ad791d23739588c3d5a4d01a54cd8f661e6e8adb80e8cec.exe	AppLaunch.exe
PID 2468 wrote to memory of 2884	2468	0a4b8de180154e727ad791d23739588c3d5a4d01a54cd8f661e6e8adb80e8cec.exe	AppLaunch.exe
PID 2468 wrote to memory of 2884	2468	0a4b8de180154e727ad791d23739588c3d5a4d01a54cd8f661e6e8adb80e8cec.exe	AppLaunch.exe
PID 2468 wrote to memory of 2884	2468	0a4b8de180154e727ad791d23739588c3d5a4d01a54cd8f661e6e8adb80e8cec.exe	AppLaunch.exe
PID 2468 wrote to memory of 2884	2468	0a4b8de180154e727ad791d23739588c3d5a4d01a54cd8f661e6e8adb80e8cec.exe	AppLaunch.exe
PID 2468 wrote to memory of 2884	2468	0a4b8de180154e727ad791d23739588c3d5a4d01a54cd8f661e6e8adb80e8cec.exe	AppLaunch.exe
PID 2468 wrote to memory of 2884	2468	0a4b8de180154e727ad791d23739588c3d5a4d01a54cd8f661e6e8adb80e8cec.exe	AppLaunch.exe
PID 2884 wrote to memory of 1140	2884	AppLaunch.exe	WerFault.exe
PID 2884 wrote to memory of 1140	2884	AppLaunch.exe	WerFault.exe
PID 2884 wrote to memory of 1140	2884	AppLaunch.exe	WerFault.exe
PID 2884 wrote to memory of 1140	2884	AppLaunch.exe	WerFault.exe
PID 2884 wrote to memory of 1140	2884	AppLaunch.exe	WerFault.exe
PID 2884 wrote to memory of 1140	2884	AppLaunch.exe	WerFault.exe
PID 2884 wrote to memory of 1140	2884	AppLaunch.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\0a4b8de180154e727ad791d23739588c3d5a4d01a54cd8f661e6e8adb80e8cec.exe
"C:\Users\Admin\AppData\Local\Temp\0a4b8de180154e727ad791d23739588c3d5a4d01a54cd8f661e6e8adb80e8cec.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 200
3⤵
- Program crash
PID:1140

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2884-0-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2884-1-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2884-2-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2884-3-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2884-4-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2884-5-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2884-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2884-7-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2884-9-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2884-11-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download