4fad1aa56d92a13d529742673d6a35790a171c116e785e33efde4bb4e0b317c4

Analysis

max time kernel
37s
max time network
35s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13-10-2023 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fad1aa56d92a13d529742673d6a35790a171c116e785e33efde4bb4e0b317c4.exe
Size

1.4MB
MD5

877cee0812b62784087c9cb85630c459
SHA1

a47caaa4979639e756e1431a3e915e84710838e6
SHA256

4fad1aa56d92a13d529742673d6a35790a171c116e785e33efde4bb4e0b317c4
SHA512

ba8272faed2b3e751b5ed8aeb9c0767e4c031184414e3090e324f9e42adfbd98d41758478a9d52b0cd75610460d7e195a7e4e3fe5fa130dcbcf4b89f378d6e33
SSDEEP

24576:c4PTAQxFdzHS1QSABeg2UChnVOTtAXIFVHmnxp4o6AQC6bxW843Nu9C8nsG:lPTAQbRS1nAYZBhnrH6ACGu9CKsG

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

4fad1aa56d92a13d529742673d6a35790a171c116e785e33efde4bb4e0b317c4.exe

description	pid	process	target process
PID 1020 set thread context of 2880	1020	4fad1aa56d92a13d529742673d6a35790a171c116e785e33efde4bb4e0b317c4.exe	AppLaunch.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2684 2880 WerFault.exe AppLaunch.exe

pid	pid_target	process	target process
2684	2880	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

4fad1aa56d92a13d529742673d6a35790a171c116e785e33efde4bb4e0b317c4.exeAppLaunch.exe

description	pid	process	target process
PID 1020 wrote to memory of 2880	1020	4fad1aa56d92a13d529742673d6a35790a171c116e785e33efde4bb4e0b317c4.exe	AppLaunch.exe
PID 1020 wrote to memory of 2880	1020	4fad1aa56d92a13d529742673d6a35790a171c116e785e33efde4bb4e0b317c4.exe	AppLaunch.exe
PID 1020 wrote to memory of 2880	1020	4fad1aa56d92a13d529742673d6a35790a171c116e785e33efde4bb4e0b317c4.exe	AppLaunch.exe
PID 1020 wrote to memory of 2880	1020	4fad1aa56d92a13d529742673d6a35790a171c116e785e33efde4bb4e0b317c4.exe	AppLaunch.exe
PID 1020 wrote to memory of 2880	1020	4fad1aa56d92a13d529742673d6a35790a171c116e785e33efde4bb4e0b317c4.exe	AppLaunch.exe
PID 1020 wrote to memory of 2880	1020	4fad1aa56d92a13d529742673d6a35790a171c116e785e33efde4bb4e0b317c4.exe	AppLaunch.exe
PID 1020 wrote to memory of 2880	1020	4fad1aa56d92a13d529742673d6a35790a171c116e785e33efde4bb4e0b317c4.exe	AppLaunch.exe
PID 1020 wrote to memory of 2880	1020	4fad1aa56d92a13d529742673d6a35790a171c116e785e33efde4bb4e0b317c4.exe	AppLaunch.exe
PID 1020 wrote to memory of 2880	1020	4fad1aa56d92a13d529742673d6a35790a171c116e785e33efde4bb4e0b317c4.exe	AppLaunch.exe
PID 1020 wrote to memory of 2880	1020	4fad1aa56d92a13d529742673d6a35790a171c116e785e33efde4bb4e0b317c4.exe	AppLaunch.exe
PID 1020 wrote to memory of 2880	1020	4fad1aa56d92a13d529742673d6a35790a171c116e785e33efde4bb4e0b317c4.exe	AppLaunch.exe
PID 1020 wrote to memory of 2880	1020	4fad1aa56d92a13d529742673d6a35790a171c116e785e33efde4bb4e0b317c4.exe	AppLaunch.exe
PID 1020 wrote to memory of 2880	1020	4fad1aa56d92a13d529742673d6a35790a171c116e785e33efde4bb4e0b317c4.exe	AppLaunch.exe
PID 1020 wrote to memory of 2880	1020	4fad1aa56d92a13d529742673d6a35790a171c116e785e33efde4bb4e0b317c4.exe	AppLaunch.exe
PID 2880 wrote to memory of 2684	2880	AppLaunch.exe	WerFault.exe
PID 2880 wrote to memory of 2684	2880	AppLaunch.exe	WerFault.exe
PID 2880 wrote to memory of 2684	2880	AppLaunch.exe	WerFault.exe
PID 2880 wrote to memory of 2684	2880	AppLaunch.exe	WerFault.exe
PID 2880 wrote to memory of 2684	2880	AppLaunch.exe	WerFault.exe
PID 2880 wrote to memory of 2684	2880	AppLaunch.exe	WerFault.exe
PID 2880 wrote to memory of 2684	2880	AppLaunch.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\4fad1aa56d92a13d529742673d6a35790a171c116e785e33efde4bb4e0b317c4.exe
"C:\Users\Admin\AppData\Local\Temp\4fad1aa56d92a13d529742673d6a35790a171c116e785e33efde4bb4e0b317c4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 200
3⤵
- Program crash
PID:2684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2880-0-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2880-1-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2880-2-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2880-3-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2880-4-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2880-5-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2880-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2880-7-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2880-9-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2880-11-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download