ce5804c5e440f29d931c8ced3179cef7cc9968d08651c2017bf8231915b346e0

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 13:09

Target

40f21e936dcec005add8f1aaa4d332fa.exe
Size

240KB
MD5

40f21e936dcec005add8f1aaa4d332fa
SHA1

2bd98cb50305ce58d2a397e8890fd2fc8d9f0a5c
SHA256

ce5804c5e440f29d931c8ced3179cef7cc9968d08651c2017bf8231915b346e0
SHA512

22acf04458c7c6771857e6737ecd07a74881bfb92494f129f7b22c53ed8db8c4f817ec1a03c78635866767a7e26b91095f4b15f721f4f5015f0d3c66dafb701d
SSDEEP

3072:8RRSuEEFOZuswPjCEHpu35Vk6HSngNrlpjWHg40bfeNXDxkXFIyqQ4ZSA2Z81:cRSXEFx5Hw3FL7RagXORQ+V

Score

7^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
1048	40f21e936dcec005add8f1aaa4d332famgr.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/2836-0-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/files/0x00050000000006e9-3.dat	upx
behavioral2/memory/1048-5-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2836-7-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1048-8-0x0000000000400000-0x000000000043A000-memory.dmp	upx

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4680	1048	WerFault.exe	88
3016	2836	WerFault.exe	87

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 1048	2836	40f21e936dcec005add8f1aaa4d332fa.exe	88
PID 2836 wrote to memory of 1048	2836	40f21e936dcec005add8f1aaa4d332fa.exe	88
PID 2836 wrote to memory of 1048	2836	40f21e936dcec005add8f1aaa4d332fa.exe	88

C:\Users\Admin\AppData\Local\Temp\40f21e936dcec005add8f1aaa4d332fa.exe
"C:\Users\Admin\AppData\Local\Temp\40f21e936dcec005add8f1aaa4d332fa.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Users\Admin\AppData\Local\Temp\40f21e936dcec005add8f1aaa4d332famgr.exe
  C:\Users\Admin\AppData\Local\Temp\40f21e936dcec005add8f1aaa4d332famgr.exe
  2⤵
  - Executes dropped EXE
  PID:1048
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 320
    3⤵
    - Program crash
    PID:4680
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 320
  2⤵
  - Program crash
  PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1048 -ip 1048
1⤵
PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2836 -ip 2836
1⤵
PID:2740

C:\Users\Admin\AppData\Local\Temp\40f21e936dcec005add8f1aaa4d332famgr.exe

Filesize
119KB

MD5
76991eefea6cb01e1d7435ae973858e6

SHA1
d8f514374f5ae13a919ebc9b006128f7c6886d5c

SHA256
55db0ecb09d26711a15367bc87f0c042d1a0b97a6745f59bb827ebfccab4369d

SHA512
385d3d61e6abbd6c7971b5bbb6b3358b8c7ce5c9b44701eff1c61c469116ecfb34dea790ff5205c781281ddd9b779807af6f8786270e8317fd6f4781f6aa88b7

Download Submit
memory/1048-5-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1048-8-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2836-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2836-6-0x0000000000A00000-0x0000000000A02000-memory.dmp

Filesize
8KB

Download
memory/2836-7-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download