a3fcb2846962fcefdb89ee30a6044825e8920630d039fc2e644ad9ce3142c432

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13-09-2023 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f58a41be919def193aef522bbc727be2a218a2e7b435695c2427e7dc576be977.exe
Size

1.4MB
MD5

0672b0ee00d516f82c5a8613985b28b1
SHA1

25dd683d0223c4e97a6b3e63f0e016c0352173ea
SHA256

f58a41be919def193aef522bbc727be2a218a2e7b435695c2427e7dc576be977
SHA512

0b4feebdcc49473ef5942ba05bf50792f97f37af3ebd168aef40330856760fbc296c147800cdcd12f45ff05059cff256b7eed6454115e394e94799328c1c9286
SSDEEP

24576:ceSiHRUNdfGwf0DpEi2z9cdqKQ6jZ/GOhNKpgtrkqQNtJoTypbI:8iGJ0tz29cd1xjXKmtwITyi

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

f58a41be919def193aef522bbc727be2a218a2e7b435695c2427e7dc576be977.exe

description	pid	process	target process
PID 2356 set thread context of 3016	2356	f58a41be919def193aef522bbc727be2a218a2e7b435695c2427e7dc576be977.exe	AppLaunch.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1940 3016 WerFault.exe AppLaunch.exe

pid	pid_target	process	target process
1940	3016	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

f58a41be919def193aef522bbc727be2a218a2e7b435695c2427e7dc576be977.exeAppLaunch.exe

description	pid	process	target process
PID 2356 wrote to memory of 3016	2356	f58a41be919def193aef522bbc727be2a218a2e7b435695c2427e7dc576be977.exe	AppLaunch.exe
PID 2356 wrote to memory of 3016	2356	f58a41be919def193aef522bbc727be2a218a2e7b435695c2427e7dc576be977.exe	AppLaunch.exe
PID 2356 wrote to memory of 3016	2356	f58a41be919def193aef522bbc727be2a218a2e7b435695c2427e7dc576be977.exe	AppLaunch.exe
PID 2356 wrote to memory of 3016	2356	f58a41be919def193aef522bbc727be2a218a2e7b435695c2427e7dc576be977.exe	AppLaunch.exe
PID 2356 wrote to memory of 3016	2356	f58a41be919def193aef522bbc727be2a218a2e7b435695c2427e7dc576be977.exe	AppLaunch.exe
PID 2356 wrote to memory of 3016	2356	f58a41be919def193aef522bbc727be2a218a2e7b435695c2427e7dc576be977.exe	AppLaunch.exe
PID 2356 wrote to memory of 3016	2356	f58a41be919def193aef522bbc727be2a218a2e7b435695c2427e7dc576be977.exe	AppLaunch.exe
PID 2356 wrote to memory of 3016	2356	f58a41be919def193aef522bbc727be2a218a2e7b435695c2427e7dc576be977.exe	AppLaunch.exe
PID 2356 wrote to memory of 3016	2356	f58a41be919def193aef522bbc727be2a218a2e7b435695c2427e7dc576be977.exe	AppLaunch.exe
PID 2356 wrote to memory of 3016	2356	f58a41be919def193aef522bbc727be2a218a2e7b435695c2427e7dc576be977.exe	AppLaunch.exe
PID 2356 wrote to memory of 3016	2356	f58a41be919def193aef522bbc727be2a218a2e7b435695c2427e7dc576be977.exe	AppLaunch.exe
PID 2356 wrote to memory of 3016	2356	f58a41be919def193aef522bbc727be2a218a2e7b435695c2427e7dc576be977.exe	AppLaunch.exe
PID 2356 wrote to memory of 3016	2356	f58a41be919def193aef522bbc727be2a218a2e7b435695c2427e7dc576be977.exe	AppLaunch.exe
PID 2356 wrote to memory of 3016	2356	f58a41be919def193aef522bbc727be2a218a2e7b435695c2427e7dc576be977.exe	AppLaunch.exe
PID 3016 wrote to memory of 1940	3016	AppLaunch.exe	WerFault.exe
PID 3016 wrote to memory of 1940	3016	AppLaunch.exe	WerFault.exe
PID 3016 wrote to memory of 1940	3016	AppLaunch.exe	WerFault.exe
PID 3016 wrote to memory of 1940	3016	AppLaunch.exe	WerFault.exe
PID 3016 wrote to memory of 1940	3016	AppLaunch.exe	WerFault.exe
PID 3016 wrote to memory of 1940	3016	AppLaunch.exe	WerFault.exe
PID 3016 wrote to memory of 1940	3016	AppLaunch.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\f58a41be919def193aef522bbc727be2a218a2e7b435695c2427e7dc576be977.exe
"C:\Users\Admin\AppData\Local\Temp\f58a41be919def193aef522bbc727be2a218a2e7b435695c2427e7dc576be977.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 200
3⤵
- Program crash
PID:1940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3016-1-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/3016-0-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/3016-2-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/3016-4-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/3016-3-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/3016-5-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/3016-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/3016-7-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/3016-9-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/3016-11-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download