891e4094562162e0b37415cb332957a612c3105ae1a61e3872dc32c9e6ddd40d

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13-10-2023 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

891e4094562162e0b37415cb332957a612c3105ae1a61e3872dc32c9e6ddd40d.exe
Size

1.4MB
MD5

7e29b6fff37bd93cf0d9521e4c397cc1
SHA1

d75cafbb9f4bf681251411c41e7386545acdc857
SHA256

891e4094562162e0b37415cb332957a612c3105ae1a61e3872dc32c9e6ddd40d
SHA512

3fd402fc7f2349bde79dad200fb6e096f04d50554196c22483be6359b8227f8c8a01c6bdfb5e25e9964dd2904ec71704669f69fb89f4ff816093727bfbc17584
SSDEEP

24576:CaxdGY37A+0lUkqY8WFAYzB7GzWITItBUdZB4y6Xso4OKnjiuwD2pt3D284yG2na:BxdGu7ElQczUrBj4LxKnfA84Mn7G

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

891e4094562162e0b37415cb332957a612c3105ae1a61e3872dc32c9e6ddd40d.exe

description	pid	process	target process
PID 1900 set thread context of 1532	1900	891e4094562162e0b37415cb332957a612c3105ae1a61e3872dc32c9e6ddd40d.exe	AppLaunch.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3024 1532 WerFault.exe AppLaunch.exe

pid	pid_target	process	target process
3024	1532	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

891e4094562162e0b37415cb332957a612c3105ae1a61e3872dc32c9e6ddd40d.exeAppLaunch.exe

description	pid	process	target process
PID 1900 wrote to memory of 1532	1900	891e4094562162e0b37415cb332957a612c3105ae1a61e3872dc32c9e6ddd40d.exe	AppLaunch.exe
PID 1900 wrote to memory of 1532	1900	891e4094562162e0b37415cb332957a612c3105ae1a61e3872dc32c9e6ddd40d.exe	AppLaunch.exe
PID 1900 wrote to memory of 1532	1900	891e4094562162e0b37415cb332957a612c3105ae1a61e3872dc32c9e6ddd40d.exe	AppLaunch.exe
PID 1900 wrote to memory of 1532	1900	891e4094562162e0b37415cb332957a612c3105ae1a61e3872dc32c9e6ddd40d.exe	AppLaunch.exe
PID 1900 wrote to memory of 1532	1900	891e4094562162e0b37415cb332957a612c3105ae1a61e3872dc32c9e6ddd40d.exe	AppLaunch.exe
PID 1900 wrote to memory of 1532	1900	891e4094562162e0b37415cb332957a612c3105ae1a61e3872dc32c9e6ddd40d.exe	AppLaunch.exe
PID 1900 wrote to memory of 1532	1900	891e4094562162e0b37415cb332957a612c3105ae1a61e3872dc32c9e6ddd40d.exe	AppLaunch.exe
PID 1900 wrote to memory of 1532	1900	891e4094562162e0b37415cb332957a612c3105ae1a61e3872dc32c9e6ddd40d.exe	AppLaunch.exe
PID 1900 wrote to memory of 1532	1900	891e4094562162e0b37415cb332957a612c3105ae1a61e3872dc32c9e6ddd40d.exe	AppLaunch.exe
PID 1900 wrote to memory of 1532	1900	891e4094562162e0b37415cb332957a612c3105ae1a61e3872dc32c9e6ddd40d.exe	AppLaunch.exe
PID 1900 wrote to memory of 1532	1900	891e4094562162e0b37415cb332957a612c3105ae1a61e3872dc32c9e6ddd40d.exe	AppLaunch.exe
PID 1900 wrote to memory of 1532	1900	891e4094562162e0b37415cb332957a612c3105ae1a61e3872dc32c9e6ddd40d.exe	AppLaunch.exe
PID 1900 wrote to memory of 1532	1900	891e4094562162e0b37415cb332957a612c3105ae1a61e3872dc32c9e6ddd40d.exe	AppLaunch.exe
PID 1900 wrote to memory of 1532	1900	891e4094562162e0b37415cb332957a612c3105ae1a61e3872dc32c9e6ddd40d.exe	AppLaunch.exe
PID 1532 wrote to memory of 3024	1532	AppLaunch.exe	WerFault.exe
PID 1532 wrote to memory of 3024	1532	AppLaunch.exe	WerFault.exe
PID 1532 wrote to memory of 3024	1532	AppLaunch.exe	WerFault.exe
PID 1532 wrote to memory of 3024	1532	AppLaunch.exe	WerFault.exe
PID 1532 wrote to memory of 3024	1532	AppLaunch.exe	WerFault.exe
PID 1532 wrote to memory of 3024	1532	AppLaunch.exe	WerFault.exe
PID 1532 wrote to memory of 3024	1532	AppLaunch.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\891e4094562162e0b37415cb332957a612c3105ae1a61e3872dc32c9e6ddd40d.exe
"C:\Users\Admin\AppData\Local\Temp\891e4094562162e0b37415cb332957a612c3105ae1a61e3872dc32c9e6ddd40d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 200
3⤵
- Program crash
PID:3024

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1532-3-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1532-2-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1532-1-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1532-0-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1532-4-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1532-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1532-5-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1532-7-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1532-9-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1532-11-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download