85fb6e20e431ffb74b9e4d3e13eb15e4bdb3cabf6391a4a7f1d7b3ae014dddbf

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13-09-2023 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

854ec17d2916a8fdde780ec93f0f025c38eee71121c5c49fdde436fc9276080c.exe
Size

1.4MB
MD5

e789bd7c43179357bdce12f1d027b239
SHA1

1e4fd640989fc02e1cf97caaf8588f10667c71f4
SHA256

854ec17d2916a8fdde780ec93f0f025c38eee71121c5c49fdde436fc9276080c
SHA512

a1453a643867f2ebc3c5d7d957676cff4b4230e0462639a0f42f9825f64199251ac4eb7d4d6cc178a6b182bf56f3b56d1e0007b9320bfb0a40e3475258b66bec
SSDEEP

24576:aXSiH75lLheIWKJQmmuUOEwGbp5QZWBZ3vr2V0u9n6Nt9/o:ribbLII/JQmmuM7bnR3j2Ved

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

854ec17d2916a8fdde780ec93f0f025c38eee71121c5c49fdde436fc9276080c.exe

description	pid	process	target process
PID 2564 set thread context of 2884	2564	854ec17d2916a8fdde780ec93f0f025c38eee71121c5c49fdde436fc9276080c.exe	AppLaunch.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2608 2884 WerFault.exe AppLaunch.exe

pid	pid_target	process	target process
2608	2884	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

854ec17d2916a8fdde780ec93f0f025c38eee71121c5c49fdde436fc9276080c.exeAppLaunch.exe

description	pid	process	target process
PID 2564 wrote to memory of 2884	2564	854ec17d2916a8fdde780ec93f0f025c38eee71121c5c49fdde436fc9276080c.exe	AppLaunch.exe
PID 2564 wrote to memory of 2884	2564	854ec17d2916a8fdde780ec93f0f025c38eee71121c5c49fdde436fc9276080c.exe	AppLaunch.exe
PID 2564 wrote to memory of 2884	2564	854ec17d2916a8fdde780ec93f0f025c38eee71121c5c49fdde436fc9276080c.exe	AppLaunch.exe
PID 2564 wrote to memory of 2884	2564	854ec17d2916a8fdde780ec93f0f025c38eee71121c5c49fdde436fc9276080c.exe	AppLaunch.exe
PID 2564 wrote to memory of 2884	2564	854ec17d2916a8fdde780ec93f0f025c38eee71121c5c49fdde436fc9276080c.exe	AppLaunch.exe
PID 2564 wrote to memory of 2884	2564	854ec17d2916a8fdde780ec93f0f025c38eee71121c5c49fdde436fc9276080c.exe	AppLaunch.exe
PID 2564 wrote to memory of 2884	2564	854ec17d2916a8fdde780ec93f0f025c38eee71121c5c49fdde436fc9276080c.exe	AppLaunch.exe
PID 2564 wrote to memory of 2884	2564	854ec17d2916a8fdde780ec93f0f025c38eee71121c5c49fdde436fc9276080c.exe	AppLaunch.exe
PID 2564 wrote to memory of 2884	2564	854ec17d2916a8fdde780ec93f0f025c38eee71121c5c49fdde436fc9276080c.exe	AppLaunch.exe
PID 2564 wrote to memory of 2884	2564	854ec17d2916a8fdde780ec93f0f025c38eee71121c5c49fdde436fc9276080c.exe	AppLaunch.exe
PID 2564 wrote to memory of 2884	2564	854ec17d2916a8fdde780ec93f0f025c38eee71121c5c49fdde436fc9276080c.exe	AppLaunch.exe
PID 2564 wrote to memory of 2884	2564	854ec17d2916a8fdde780ec93f0f025c38eee71121c5c49fdde436fc9276080c.exe	AppLaunch.exe
PID 2564 wrote to memory of 2884	2564	854ec17d2916a8fdde780ec93f0f025c38eee71121c5c49fdde436fc9276080c.exe	AppLaunch.exe
PID 2564 wrote to memory of 2884	2564	854ec17d2916a8fdde780ec93f0f025c38eee71121c5c49fdde436fc9276080c.exe	AppLaunch.exe
PID 2884 wrote to memory of 2608	2884	AppLaunch.exe	WerFault.exe
PID 2884 wrote to memory of 2608	2884	AppLaunch.exe	WerFault.exe
PID 2884 wrote to memory of 2608	2884	AppLaunch.exe	WerFault.exe
PID 2884 wrote to memory of 2608	2884	AppLaunch.exe	WerFault.exe
PID 2884 wrote to memory of 2608	2884	AppLaunch.exe	WerFault.exe
PID 2884 wrote to memory of 2608	2884	AppLaunch.exe	WerFault.exe
PID 2884 wrote to memory of 2608	2884	AppLaunch.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\854ec17d2916a8fdde780ec93f0f025c38eee71121c5c49fdde436fc9276080c.exe
"C:\Users\Admin\AppData\Local\Temp\854ec17d2916a8fdde780ec93f0f025c38eee71121c5c49fdde436fc9276080c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 200
3⤵
- Program crash
PID:2608

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2884-0-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2884-1-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2884-2-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2884-3-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2884-5-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2884-4-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2884-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2884-7-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2884-9-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2884-11-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download