863ea971df381e9b41140fd526596ad1ea75a04fbe480d26da2e84ccaad87fa1

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 01:06

Target

1f31ee99860972128949d5d092c985df.exe
Size

128KB
MD5

1f31ee99860972128949d5d092c985df
SHA1

d0a223343824af19daeb35d1cf6febbfd60f4fc5
SHA256

863ea971df381e9b41140fd526596ad1ea75a04fbe480d26da2e84ccaad87fa1
SHA512

517d529aa46935cd7edcb503dd67640f9dad9787ecb6782aebaf84fd6ff66b0c6963f8de76bb3e99c18e115fa8d3437796bed3f2d9fdcb2146de0baa7563f258
SSDEEP

3072:z3pXaaYJHGb4vm1YbRJGpv0jKagDJmKbgemPMMy4Ff7:78MpWb20jKa4dbYPMMy4t

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
4288	wermgr.exe
4588	wermgr.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 896 wrote to memory of 2644	896	1f31ee99860972128949d5d092c985df.exe	88
PID 896 wrote to memory of 2644	896	1f31ee99860972128949d5d092c985df.exe	88
PID 896 wrote to memory of 2644	896	1f31ee99860972128949d5d092c985df.exe	88
PID 2644 wrote to memory of 4288	2644	1f31ee99860972128949d5d092c985df.exe	89
PID 2644 wrote to memory of 4288	2644	1f31ee99860972128949d5d092c985df.exe	89
PID 2644 wrote to memory of 4288	2644	1f31ee99860972128949d5d092c985df.exe	89
PID 4288 wrote to memory of 4588	4288	wermgr.exe	90
PID 4288 wrote to memory of 4588	4288	wermgr.exe	90
PID 4288 wrote to memory of 4588	4288	wermgr.exe	90

C:\Users\Admin\AppData\Local\Temp\1f31ee99860972128949d5d092c985df.exe
"C:\Users\Admin\AppData\Local\Temp\1f31ee99860972128949d5d092c985df.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:896
- C:\Users\Admin\AppData\Local\Temp\1f31ee99860972128949d5d092c985df.exe
  "C:\Users\Admin\AppData\Local\Temp\1f31ee99860972128949d5d092c985df.exe" 528
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Users\Admin\AppData\Local\Temp\wermgr.exe
    "C:\Users\Admin\AppData\Local\Temp\wermgr.exe" {41AEC828-3A9B-4f4d-8E7A-C8DB200075B2} 4088 "C:\Users\Admin\AppData\Local\Temp\1f31ee99860972128949d5d092c985df.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Users\Admin\AppData\Local\Temp\wermgr.exe
      "C:\Users\Admin\AppData\Local\Temp\wermgr.exe" {41AEC828-3A9B-4f4d-8E7A-C8DB200075B2} 4088 4944 "C:\Users\Admin\AppData\Local\Temp\1f31ee99860972128949d5d092c985df.exe"
      4⤵
      Executes dropped EXE
      PID:4588

C:\Users\Admin\AppData\Local\Temp\wermgr.exe

Filesize
128KB

MD5
a9150b715ee1ad0923689d3894c23585

SHA1
259e338aefaa3bb7f4a4c705613a2fc5292c67dd

SHA256
fe6082a8bdb45c95745ae159417d3b089d6f515675c65f689d8d65f12b949623

SHA512
587454ce08890fbfbd42eb912020c247d8524d59d16fbceb7394e73e2d9087d90bac5bc8603fa8a63566f947b3fcbe4536b45bc26f6fcc2b18cb132101012f8f

Download Submit