1c294aba5ceffae22f970984a34e452122b8028ea4169bf7f0af32bbadbdff7a

Analysis

max time kernel
118s
max time network
157s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13-10-2023 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c294aba5ceffae22f970984a34e452122b8028ea4169bf7f0af32bbadbdff7a.exe
Size

1.4MB
MD5

e2ff92f5a26904d1e2e18958fc4019de
SHA1

2b1c19a133de48b32c8514cf1169d7bd1c00f6bc
SHA256

1c294aba5ceffae22f970984a34e452122b8028ea4169bf7f0af32bbadbdff7a
SHA512

a24f1fd1c94e3eb253463f8e0985daf4239227f8ada480c82e97673a14b69e47ea41dc9191c0abfc172aa9c3363faa16f0da5621939f494350807353362e562e
SSDEEP

24576:Qi5lul0a8rRSDFxRWPYPubZ9VZyUZoav2vATrhufdHMYxI72V2DEHX8G9WtG:/5luaawRSDYPkk99o3AT8dHbHJ9WtG

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

1c294aba5ceffae22f970984a34e452122b8028ea4169bf7f0af32bbadbdff7a.exe

description	pid	process	target process
PID 1688 set thread context of 2324	1688	1c294aba5ceffae22f970984a34e452122b8028ea4169bf7f0af32bbadbdff7a.exe	AppLaunch.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2768 2324 WerFault.exe AppLaunch.exe

pid	pid_target	process	target process
2768	2324	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

1c294aba5ceffae22f970984a34e452122b8028ea4169bf7f0af32bbadbdff7a.exeAppLaunch.exe

description	pid	process	target process
PID 1688 wrote to memory of 2324	1688	1c294aba5ceffae22f970984a34e452122b8028ea4169bf7f0af32bbadbdff7a.exe	AppLaunch.exe
PID 1688 wrote to memory of 2324	1688	1c294aba5ceffae22f970984a34e452122b8028ea4169bf7f0af32bbadbdff7a.exe	AppLaunch.exe
PID 1688 wrote to memory of 2324	1688	1c294aba5ceffae22f970984a34e452122b8028ea4169bf7f0af32bbadbdff7a.exe	AppLaunch.exe
PID 1688 wrote to memory of 2324	1688	1c294aba5ceffae22f970984a34e452122b8028ea4169bf7f0af32bbadbdff7a.exe	AppLaunch.exe
PID 1688 wrote to memory of 2324	1688	1c294aba5ceffae22f970984a34e452122b8028ea4169bf7f0af32bbadbdff7a.exe	AppLaunch.exe
PID 1688 wrote to memory of 2324	1688	1c294aba5ceffae22f970984a34e452122b8028ea4169bf7f0af32bbadbdff7a.exe	AppLaunch.exe
PID 1688 wrote to memory of 2324	1688	1c294aba5ceffae22f970984a34e452122b8028ea4169bf7f0af32bbadbdff7a.exe	AppLaunch.exe
PID 1688 wrote to memory of 2324	1688	1c294aba5ceffae22f970984a34e452122b8028ea4169bf7f0af32bbadbdff7a.exe	AppLaunch.exe
PID 1688 wrote to memory of 2324	1688	1c294aba5ceffae22f970984a34e452122b8028ea4169bf7f0af32bbadbdff7a.exe	AppLaunch.exe
PID 1688 wrote to memory of 2324	1688	1c294aba5ceffae22f970984a34e452122b8028ea4169bf7f0af32bbadbdff7a.exe	AppLaunch.exe
PID 1688 wrote to memory of 2324	1688	1c294aba5ceffae22f970984a34e452122b8028ea4169bf7f0af32bbadbdff7a.exe	AppLaunch.exe
PID 1688 wrote to memory of 2324	1688	1c294aba5ceffae22f970984a34e452122b8028ea4169bf7f0af32bbadbdff7a.exe	AppLaunch.exe
PID 1688 wrote to memory of 2324	1688	1c294aba5ceffae22f970984a34e452122b8028ea4169bf7f0af32bbadbdff7a.exe	AppLaunch.exe
PID 1688 wrote to memory of 2324	1688	1c294aba5ceffae22f970984a34e452122b8028ea4169bf7f0af32bbadbdff7a.exe	AppLaunch.exe
PID 2324 wrote to memory of 2768	2324	AppLaunch.exe	WerFault.exe
PID 2324 wrote to memory of 2768	2324	AppLaunch.exe	WerFault.exe
PID 2324 wrote to memory of 2768	2324	AppLaunch.exe	WerFault.exe
PID 2324 wrote to memory of 2768	2324	AppLaunch.exe	WerFault.exe
PID 2324 wrote to memory of 2768	2324	AppLaunch.exe	WerFault.exe
PID 2324 wrote to memory of 2768	2324	AppLaunch.exe	WerFault.exe
PID 2324 wrote to memory of 2768	2324	AppLaunch.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\1c294aba5ceffae22f970984a34e452122b8028ea4169bf7f0af32bbadbdff7a.exe
"C:\Users\Admin\AppData\Local\Temp\1c294aba5ceffae22f970984a34e452122b8028ea4169bf7f0af32bbadbdff7a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 200
3⤵
- Program crash
PID:2768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2324-0-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2324-1-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2324-3-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2324-5-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2324-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2324-7-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2324-4-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2324-2-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2324-9-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2324-11-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download