2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2024 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

041f11543edf5591a8fb7b0037e3d115.exe
Size

1.3MB
MD5

041f11543edf5591a8fb7b0037e3d115
SHA1

ee5fb2448d4437c2eaefdfb7cac13a0a2162a775
SHA256

2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d
SHA512

3e3e5634cb560178ec75b2a74a92a9bbacedf53f046491ebf9e2d7849b1b1ea5327cf9e8e3cc2ffc3938ca12d6ab281ae466b4446c2b338fa35976ef6f5b83c4
SSDEEP

24576:6H4G8P8VYqjxxT6qZk1rFrXc0lLF5HskwGpLF2:1G8P8VcrlcwLXPpL8

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4496 set thread context of 4992	4496	041f11543edf5591a8fb7b0037e3d115.exe	88

Modifies registry class 10 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\tetdvfyvkr\d5dc359d = 269c2960b425eab62bfcaac6e99be2db08bdf7d0a1c2896d4327818b037a596184932c124b46c589084cca5435eb560154	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\tetdvfyvkr\d5dc359d = 45a589f2db9aa5f6012575536348c0e71b073573eb5523647a98bfe31981cd20b1dab24241c68c722ba98297ac16db4d7a3f1737ea420165d700f158cdab7174040be15e69cde4ad78fb4cee32ebf46d59	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\tetdvfyvkr\4ed9204c = e5d5c6502ca8feca5eec0ff873810bafbb63b7523ae124eb6d9c774af8dd47c04ed9fdd21e31dfcf5c5c95e25d7305fba3a35cf5cde704932aa2de67e4eedbf2000503ca1f5bdaa370fd173ca861d6f4d576ccd0c1a3e811644be605cc89f512826bf7b1f58ac5ae6fa35af56ba5abdf5fb271975db9161ecb4583950f94e4c828	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\tetdvfyvkr\827320d2 = 84fa5eb295088d8f849aea393708daba79c7c1f8576c2b8917b45b3cc0aabee80124d04c8ab56d1beec8926b98c1b0cf2a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\tetdvfyvkr\4f5e7dcb = a6dc12b3e190ebefafeb788bed55451aad0716034eccf82891801bd22545361c9234aa2d85501b67fa3667f8adcf868d2f23e6ff2ec880655b43399a18a6c523b41bb887e3d165ddb1462ac66dd6701d35518ef92f8af67bfffe71bf40e7e05be275e3a37fd6f3288a1b2743fa9f3738a4	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\tetdvfyvkr\d45b681a = 85f4e318a758a9c559e4fa2f6c3a47912aad5cae5c26371ba878dddec63b7ff1444d9dcc9c23f0d3a8874039c5e99394e2b3454807c01b98a31716611130c7bd4f709fa87983cfcf16952c19c65d6a477c964dfa2ed6c9ec3735f309774b4a1366	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\tetdvfyvkr	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\tetdvfyvkr\83f47d55 = c7133ae722d8bf0918ea8d5bc4c2bfd9bd907dc823345cf0c9843a43d855fff9a8aa1bf4ca891cfb75123b0e0d538a94cc465531692d78b313f52c9eea8e832fb99da9b6e93235f9af04a59a362d92c93f28f3e0636f1f9e36a12da239ad49132d8eb5dfaa29fb18919e5ba02b9cde8aacb6ff2aa439b1b85387514956e30e754802bea825210d8a9affc04c754152de1b9a7af3b6109844f121f909ad7f8d7663a9f103f9992d77237d61563146b6a2e5	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\tetdvfyvkr\9d3c3bf9 = c425995984bcac57ea784c501075f4e9084df8cee79ffc22245ba08dffd6e4999994c7ca89f689de5c0170171f8e750fa40200d138d211be4a0321adcf5301d50cea092d123629364b4c1a02cc77de9a78ddbef2d4ea785755adf698cccb839c21abb406091655f34f0fe01a309cc6bb96f3cd162fdca48e07eae734fc0009062a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\tetdvfyvkr\51963b67 = 0546223bc54bb7f4993fb43aa9feb8b346a07010ded6565dd10eaeb9caff0c8ee5916f838515ae6201b338e4ff3d85fc5d74f1633b170c7dee0030eb408118e36d	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4992	041f11543edf5591a8fb7b0037e3d115.exe
4992	041f11543edf5591a8fb7b0037e3d115.exe
4992	041f11543edf5591a8fb7b0037e3d115.exe
4992	041f11543edf5591a8fb7b0037e3d115.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 4992	4496	041f11543edf5591a8fb7b0037e3d115.exe	88
PID 4496 wrote to memory of 4992	4496	041f11543edf5591a8fb7b0037e3d115.exe	88
PID 4496 wrote to memory of 4992	4496	041f11543edf5591a8fb7b0037e3d115.exe	88
PID 4496 wrote to memory of 4992	4496	041f11543edf5591a8fb7b0037e3d115.exe	88
PID 4496 wrote to memory of 4992	4496	041f11543edf5591a8fb7b0037e3d115.exe	88
PID 4496 wrote to memory of 4992	4496	041f11543edf5591a8fb7b0037e3d115.exe	88
PID 4496 wrote to memory of 4992	4496	041f11543edf5591a8fb7b0037e3d115.exe	88
PID 4496 wrote to memory of 4992	4496	041f11543edf5591a8fb7b0037e3d115.exe	88
PID 4992 wrote to memory of 4956	4992	041f11543edf5591a8fb7b0037e3d115.exe	90
PID 4992 wrote to memory of 4956	4992	041f11543edf5591a8fb7b0037e3d115.exe	90
PID 4992 wrote to memory of 4956	4992	041f11543edf5591a8fb7b0037e3d115.exe	90
PID 4992 wrote to memory of 4956	4992	041f11543edf5591a8fb7b0037e3d115.exe	90
PID 4992 wrote to memory of 4956	4992	041f11543edf5591a8fb7b0037e3d115.exe	90

C:\Users\Admin\AppData\Local\Temp\041f11543edf5591a8fb7b0037e3d115.exe
"C:\Users\Admin\AppData\Local\Temp\041f11543edf5591a8fb7b0037e3d115.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Users\Admin\AppData\Local\Temp\041f11543edf5591a8fb7b0037e3d115.exe
  "C:\Users\Admin\AppData\Local\Temp\041f11543edf5591a8fb7b0037e3d115.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\System32\wermgr.exe
    C:\Windows\System32\wermgr.exe
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:4956

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4496-10-0x0000000002020000-0x0000000002073000-memory.dmp

Filesize
332KB

Download
memory/4496-5-0x0000000002020000-0x0000000002073000-memory.dmp

Filesize
332KB

Download
memory/4496-2-0x0000000001FD0000-0x000000000201E000-memory.dmp

Filesize
312KB

Download
memory/4956-39-0x000001F524720000-0x000001F524750000-memory.dmp

Filesize
192KB

Download
memory/4956-41-0x000001F524720000-0x000001F524750000-memory.dmp

Filesize
192KB

Download
memory/4956-40-0x000001F524720000-0x000001F524750000-memory.dmp

Filesize
192KB

Download
memory/4956-43-0x000001F524720000-0x000001F524750000-memory.dmp

Filesize
192KB

Download
memory/4956-38-0x000001F524720000-0x000001F524750000-memory.dmp

Filesize
192KB

Download
memory/4956-27-0x000001F524720000-0x000001F524750000-memory.dmp

Filesize
192KB

Download
memory/4956-16-0x000001F524750000-0x000001F524752000-memory.dmp

Filesize
8KB

Download
memory/4956-37-0x000001F524720000-0x000001F524750000-memory.dmp

Filesize
192KB

Download
memory/4956-25-0x000001F524720000-0x000001F524750000-memory.dmp

Filesize
192KB

Download
memory/4956-24-0x000001F524720000-0x000001F524750000-memory.dmp

Filesize
192KB

Download
memory/4956-17-0x000001F524720000-0x000001F524750000-memory.dmp

Filesize
192KB

Download
memory/4992-14-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4992-26-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4992-0-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4992-13-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4992-23-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4992-11-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4992-12-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4992-15-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4992-9-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4992-8-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4992-7-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4992-1-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4992-4-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4992-6-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4992-3-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download