2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2024 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

041f11543edf5591a8fb7b0037e3d115.exe
Size

1.3MB
MD5

041f11543edf5591a8fb7b0037e3d115
SHA1

ee5fb2448d4437c2eaefdfb7cac13a0a2162a775
SHA256

2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d
SHA512

3e3e5634cb560178ec75b2a74a92a9bbacedf53f046491ebf9e2d7849b1b1ea5327cf9e8e3cc2ffc3938ca12d6ab281ae466b4446c2b338fa35976ef6f5b83c4
SSDEEP

24576:6H4G8P8VYqjxxT6qZk1rFrXc0lLF5HskwGpLF2:1G8P8VcrlcwLXPpL8

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

041f11543edf5591a8fb7b0037e3d115.exe

description	pid	Process	procid_target
PID 1212 set thread context of 1468	1212	041f11543edf5591a8fb7b0037e3d115.exe	85

Modifies registry class 10 IoCs

Processes:

wermgr.exe

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\goajrnoznyii\9775803d = 440f6c3f41a86a883d985bd1d46b33845bc869eb6584a079126268113012b6ee1c91ea991aef6904a6255423faccf7a0a2a2404b60b0136b5dc261f93a84174be6f4f12f9071c2b7d90d719f6c5f1f905a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\goajrnoznyii\44909b88 = 66b84874f595f8639a2de0ca0b892d11f9cbd837c4f2072b9240b34c0c1768df6fe0c379c602ba7276fb762aa5c908b537308f319528eec8a82ef2d54a4e2ffe44e40acea43c558dbc48c8ce40f74e3b510c36bf55597ea881b09f618a551155d4	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\goajrnoznyii\883a9b16 = 842ea182b6c38dc9dc07e0362f27b0e0ad11ac980d6b981e36452e348839b4c0217f071487aa3a8ed73bba0fe957f30231cf49b999d9db0ad29aefee71623a93df5f8a20e26599cfce4d06c2cb011bb43d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\goajrnoznyii\df958e59 = a4f6c746f21757d0f40d7fabfc27bf9c718baeac9d5195b4360fa86b3ca71486507f5e85d83afc2f5aefa243bfd903f6e34d940cc3314e07938ccf726ce497931524411b217207a57369e92553e303fc13	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\goajrnoznyii	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\goajrnoznyii\df958e59 = 67bde6a9455f574ac2e006e9349e76ddbdc88f5c297c1d9b9dca4d9a920aca5de407b84ebeeb15745d28d25bb641a105eab1fc8d5974f2a3c27adc714d975839b3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\goajrnoznyii\89bdc691 = 47d565eec2b40fe486ccf2cd573bbff6a8ffc31524f7fb1eea66b21713c2d274963dda53f6f2154d80444545e64a7f229a6975a77de21c2a3e0d4d1207519a2678a13faa2c251db64609e1d7444cbb14f2ab70edd1e4d13edd663d3b3597cf93baf460ec91d2b2c15bbe8b6d1f74f2a3e8251d5cb8f8ed4a9f858f1d1aed154a2b18492c45f9a678aa8e4b3174ab486add	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\goajrnoznyii\5bdf80a3 = 468d90f44cc15b54fba51709c72be77cfc85146f3d996d7c2eb1cb122d7cc27538964a506a79d805d708de10d5c0bea322a6ed2ca3cb56c81755414fc8b8dbab8a78d0c8502cd0eab7dc523708ed09ab036367277c927c540f577724e6da78c16ced5b88a4466bc66c5ee2cb35426dd034	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\goajrnoznyii\4517c60f = 65b2356561486d9296d8c4b4a7823511a015e690ec2f4137607c5bf5d3dfd176b656dcb10d05115ac718a74d84ff8ff1497588330d5968f41ae42fe090b2f56cbfc9cb605dc16cd3942e04bc265d26f4856c64f3f6c2034a677ecd9e89a5a4db083150835a4156490cbc3efa8ef3117c410128ec8c2668b97f272db708f46827a2	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\goajrnoznyii\de12d3de = 45c2f6aba6cd64ca9e39685c16bcaf585d4fc2312cc360474da14e6ac7f4f48d478c4e6c45871a7b99d2ef63ef780d9e7a33697e2d4bd42e8f79cf2f0df07dcdaf4aa864151bca04854e2643a7e846f94f	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

041f11543edf5591a8fb7b0037e3d115.exewermgr.exe

pid	Process
1468	041f11543edf5591a8fb7b0037e3d115.exe
1468	041f11543edf5591a8fb7b0037e3d115.exe
1468	041f11543edf5591a8fb7b0037e3d115.exe
1468	041f11543edf5591a8fb7b0037e3d115.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

041f11543edf5591a8fb7b0037e3d115.exe041f11543edf5591a8fb7b0037e3d115.exe

description	pid	Process	procid_target
PID 1212 wrote to memory of 1468	1212	041f11543edf5591a8fb7b0037e3d115.exe	85
PID 1212 wrote to memory of 1468	1212	041f11543edf5591a8fb7b0037e3d115.exe	85
PID 1212 wrote to memory of 1468	1212	041f11543edf5591a8fb7b0037e3d115.exe	85
PID 1212 wrote to memory of 1468	1212	041f11543edf5591a8fb7b0037e3d115.exe	85
PID 1212 wrote to memory of 1468	1212	041f11543edf5591a8fb7b0037e3d115.exe	85
PID 1212 wrote to memory of 1468	1212	041f11543edf5591a8fb7b0037e3d115.exe	85
PID 1212 wrote to memory of 1468	1212	041f11543edf5591a8fb7b0037e3d115.exe	85
PID 1212 wrote to memory of 1468	1212	041f11543edf5591a8fb7b0037e3d115.exe	85
PID 1468 wrote to memory of 3744	1468	041f11543edf5591a8fb7b0037e3d115.exe	91
PID 1468 wrote to memory of 3744	1468	041f11543edf5591a8fb7b0037e3d115.exe	91
PID 1468 wrote to memory of 3744	1468	041f11543edf5591a8fb7b0037e3d115.exe	91
PID 1468 wrote to memory of 3744	1468	041f11543edf5591a8fb7b0037e3d115.exe	91
PID 1468 wrote to memory of 3744	1468	041f11543edf5591a8fb7b0037e3d115.exe	91

C:\Users\Admin\AppData\Local\Temp\041f11543edf5591a8fb7b0037e3d115.exe
"C:\Users\Admin\AppData\Local\Temp\041f11543edf5591a8fb7b0037e3d115.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\041f11543edf5591a8fb7b0037e3d115.exe
  "C:\Users\Admin\AppData\Local\Temp\041f11543edf5591a8fb7b0037e3d115.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\System32\wermgr.exe
    C:\Windows\System32\wermgr.exe
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:3744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1212-2-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1212-4-0x0000000002110000-0x0000000002163000-memory.dmp

Filesize
332KB

Download
memory/1212-10-0x0000000002110000-0x0000000002163000-memory.dmp

Filesize
332KB

Download
memory/1468-14-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/1468-1-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/1468-7-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/1468-3-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/1468-9-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/1468-6-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/1468-5-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/1468-23-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/1468-12-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/1468-11-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/1468-13-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/1468-0-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/1468-15-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/1468-8-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/1468-26-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/3744-16-0x000001AF9D900000-0x000001AF9D902000-memory.dmp

Filesize
8KB

Download
memory/3744-24-0x000001AF9D8D0000-0x000001AF9D900000-memory.dmp

Filesize
192KB

Download
memory/3744-25-0x000001AF9D8D0000-0x000001AF9D900000-memory.dmp

Filesize
192KB

Download
memory/3744-17-0x000001AF9D8D0000-0x000001AF9D900000-memory.dmp

Filesize
192KB

Download
memory/3744-27-0x000001AF9D8D0000-0x000001AF9D900000-memory.dmp

Filesize
192KB

Download
memory/3744-38-0x000001AF9D8D0000-0x000001AF9D900000-memory.dmp

Filesize
192KB

Download
memory/3744-39-0x000001AF9D8D0000-0x000001AF9D900000-memory.dmp

Filesize
192KB

Download
memory/3744-37-0x000001AF9D8D0000-0x000001AF9D900000-memory.dmp

Filesize
192KB

Download
memory/3744-40-0x000001AF9D8D0000-0x000001AF9D900000-memory.dmp

Filesize
192KB

Download
memory/3744-41-0x000001AF9D8D0000-0x000001AF9D900000-memory.dmp

Filesize
192KB

Download
memory/3744-43-0x000001AF9D8D0000-0x000001AF9D900000-memory.dmp

Filesize
192KB

Download