9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43

Analysis

max time kernel
120s
max time network
130s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12-10-2023 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exe
Size

1.3MB
MD5

66517d9105802998a136a7232dc585b5
SHA1

d03716a9353992e300917bf202420c46baa30f3c
SHA256

9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43
SHA512

bece6e5efa02fb09b6cc3fa1f0a6aae07a340a3b9eeecbc30cf5d9283d86c02e4d86203675383b66cc7def0edec8d092aed8b3f9ecc0dd710517cddf60b7f9cd
SSDEEP

24576:+092Q+pf9HgPycWuPNpH9gLcJVuDBWhg+izBqyRC9eQ:+092Q0f9AfWS9JVyxzBTOeQ

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exe

description	pid	process	target process
PID 2412 set thread context of 2580	2412	9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exe	AppLaunch.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2768 2580 WerFault.exe AppLaunch.exe

pid	pid_target	process	target process
2768	2580	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exeAppLaunch.exe

description	pid	process	target process
PID 2412 wrote to memory of 2580	2412	9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exe	AppLaunch.exe
PID 2412 wrote to memory of 2580	2412	9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exe	AppLaunch.exe
PID 2412 wrote to memory of 2580	2412	9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exe	AppLaunch.exe
PID 2412 wrote to memory of 2580	2412	9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exe	AppLaunch.exe
PID 2412 wrote to memory of 2580	2412	9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exe	AppLaunch.exe
PID 2412 wrote to memory of 2580	2412	9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exe	AppLaunch.exe
PID 2412 wrote to memory of 2580	2412	9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exe	AppLaunch.exe
PID 2412 wrote to memory of 2580	2412	9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exe	AppLaunch.exe
PID 2412 wrote to memory of 2580	2412	9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exe	AppLaunch.exe
PID 2412 wrote to memory of 2580	2412	9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exe	AppLaunch.exe
PID 2412 wrote to memory of 2580	2412	9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exe	AppLaunch.exe
PID 2412 wrote to memory of 2580	2412	9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exe	AppLaunch.exe
PID 2412 wrote to memory of 2580	2412	9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exe	AppLaunch.exe
PID 2412 wrote to memory of 2580	2412	9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exe	AppLaunch.exe
PID 2580 wrote to memory of 2768	2580	AppLaunch.exe	WerFault.exe
PID 2580 wrote to memory of 2768	2580	AppLaunch.exe	WerFault.exe
PID 2580 wrote to memory of 2768	2580	AppLaunch.exe	WerFault.exe
PID 2580 wrote to memory of 2768	2580	AppLaunch.exe	WerFault.exe
PID 2580 wrote to memory of 2768	2580	AppLaunch.exe	WerFault.exe
PID 2580 wrote to memory of 2768	2580	AppLaunch.exe	WerFault.exe
PID 2580 wrote to memory of 2768	2580	AppLaunch.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exe
"C:\Users\Admin\AppData\Local\Temp\9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 200
3⤵
- Program crash
PID:2768

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2580-0-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2580-1-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2580-2-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2580-3-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2580-4-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2580-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2580-5-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2580-7-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2580-9-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2580-11-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download