6ebeb06cb2d2beddb16bfd2a4e689ac133b34e734954b694edf0aa2c3ea25ae6

General

Target

1ef652cf753aac92977c2cfea7fe08c4.exe
Size

3.1MB
MD5

1ef652cf753aac92977c2cfea7fe08c4
SHA1

2c4b9cb5ae6f174c97626c02a4a122e48c43dee2
SHA256

6ebeb06cb2d2beddb16bfd2a4e689ac133b34e734954b694edf0aa2c3ea25ae6
SHA512

3ea9fdbaaf006ffe69b126e92398a779e1887865a8b555f0e39fb31c0ea8edd9d265d79318f3e2ad314dabcab46c4855688472a016c30aafb9aa02ef56870126
SSDEEP

49152:0itOd4k7ydepSSPIZDscC+QZKDVdfu31h:0iK4IIZYfZKDVQFh

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4228 4084 WerFault.exe notepad.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

1ef652cf753aac92977c2cfea7fe08c4.exe

pid process

1792 1ef652cf753aac92977c2cfea7fe08c4.exe

pid	pid_target	process	target process
4228	4084	WerFault.exe	notepad.exe

pid	process
1792	1ef652cf753aac92977c2cfea7fe08c4.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1ef652cf753aac92977c2cfea7fe08c4.exe

description	pid	process	target process
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe
PID 1792 wrote to memory of 4084	1792	1ef652cf753aac92977c2cfea7fe08c4.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\1ef652cf753aac92977c2cfea7fe08c4.exe
"C:\Users\Admin\AppData\Local\Temp\1ef652cf753aac92977c2cfea7fe08c4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 140
    3⤵
    - Program crash
    PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4084 -ip 4084
1⤵
PID:1200

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1792-0-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/1792-1-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/1792-2-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download
memory/1792-3-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/1792-6-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/1792-7-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads