0934f8d21e02c792e3921c11bfdfb330ede0204845d7a991bd721f469153291f

Analysis

max time kernel
240s
max time network
282s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c6685db37af4197e732479abbd02922d92baca08fd07b5bddd4836d80ad8a49.exe
Size

1.1MB
MD5

c04d1d7fdb1bf28fd4dca1bb1f92afcb
SHA1

046e6dfaf73e7477175be6d263e82f0f729d6aa3
SHA256

8c6685db37af4197e732479abbd02922d92baca08fd07b5bddd4836d80ad8a49
SHA512

bd5bafcad34d7d7750cd131edadce3673779258c225de5729547793d771186335d3749cfd71d76a37647c4a85fc061bde5f01c5bcc1510ba039706c9a67598bb
SSDEEP

12288:4NsxUN2dA1IY9i4ytPDxZZZVf95Tjz8L2aB4vIubLkS8jzYS4Iypg9dLCAW:GsxW2dA1h9i4ytXVX3dGYSUpXAW

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2504 set thread context of 2532	2504	8c6685db37af4197e732479abbd02922d92baca08fd07b5bddd4836d80ad8a49.exe	28

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2520	2504	WerFault.exe	23
2632	2532	WerFault.exe	28

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2532	2504	8c6685db37af4197e732479abbd02922d92baca08fd07b5bddd4836d80ad8a49.exe	28
PID 2504 wrote to memory of 2532	2504	8c6685db37af4197e732479abbd02922d92baca08fd07b5bddd4836d80ad8a49.exe	28
PID 2504 wrote to memory of 2532	2504	8c6685db37af4197e732479abbd02922d92baca08fd07b5bddd4836d80ad8a49.exe	28
PID 2504 wrote to memory of 2532	2504	8c6685db37af4197e732479abbd02922d92baca08fd07b5bddd4836d80ad8a49.exe	28
PID 2504 wrote to memory of 2532	2504	8c6685db37af4197e732479abbd02922d92baca08fd07b5bddd4836d80ad8a49.exe	28
PID 2504 wrote to memory of 2532	2504	8c6685db37af4197e732479abbd02922d92baca08fd07b5bddd4836d80ad8a49.exe	28
PID 2504 wrote to memory of 2532	2504	8c6685db37af4197e732479abbd02922d92baca08fd07b5bddd4836d80ad8a49.exe	28
PID 2504 wrote to memory of 2532	2504	8c6685db37af4197e732479abbd02922d92baca08fd07b5bddd4836d80ad8a49.exe	28
PID 2504 wrote to memory of 2532	2504	8c6685db37af4197e732479abbd02922d92baca08fd07b5bddd4836d80ad8a49.exe	28
PID 2504 wrote to memory of 2532	2504	8c6685db37af4197e732479abbd02922d92baca08fd07b5bddd4836d80ad8a49.exe	28
PID 2504 wrote to memory of 2532	2504	8c6685db37af4197e732479abbd02922d92baca08fd07b5bddd4836d80ad8a49.exe	28
PID 2504 wrote to memory of 2532	2504	8c6685db37af4197e732479abbd02922d92baca08fd07b5bddd4836d80ad8a49.exe	28
PID 2504 wrote to memory of 2532	2504	8c6685db37af4197e732479abbd02922d92baca08fd07b5bddd4836d80ad8a49.exe	28
PID 2504 wrote to memory of 2532	2504	8c6685db37af4197e732479abbd02922d92baca08fd07b5bddd4836d80ad8a49.exe	28
PID 2504 wrote to memory of 2520	2504	8c6685db37af4197e732479abbd02922d92baca08fd07b5bddd4836d80ad8a49.exe	29
PID 2504 wrote to memory of 2520	2504	8c6685db37af4197e732479abbd02922d92baca08fd07b5bddd4836d80ad8a49.exe	29
PID 2504 wrote to memory of 2520	2504	8c6685db37af4197e732479abbd02922d92baca08fd07b5bddd4836d80ad8a49.exe	29
PID 2504 wrote to memory of 2520	2504	8c6685db37af4197e732479abbd02922d92baca08fd07b5bddd4836d80ad8a49.exe	29
PID 2532 wrote to memory of 2632	2532	AppLaunch.exe	30
PID 2532 wrote to memory of 2632	2532	AppLaunch.exe	30
PID 2532 wrote to memory of 2632	2532	AppLaunch.exe	30
PID 2532 wrote to memory of 2632	2532	AppLaunch.exe	30
PID 2532 wrote to memory of 2632	2532	AppLaunch.exe	30
PID 2532 wrote to memory of 2632	2532	AppLaunch.exe	30
PID 2532 wrote to memory of 2632	2532	AppLaunch.exe	30

C:\Users\Admin\AppData\Local\Temp\8c6685db37af4197e732479abbd02922d92baca08fd07b5bddd4836d80ad8a49.exe
"C:\Users\Admin\AppData\Local\Temp\8c6685db37af4197e732479abbd02922d92baca08fd07b5bddd4836d80ad8a49.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 196
    3⤵
    - Program crash
    PID:2632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 92
  2⤵
  - Program crash
  PID:2520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2532-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-1-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-2-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-4-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-3-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-5-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2532-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads