2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2024 06:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

041f11543edf5591a8fb7b0037e3d115.exe
Size

1.3MB
MD5

041f11543edf5591a8fb7b0037e3d115
SHA1

ee5fb2448d4437c2eaefdfb7cac13a0a2162a775
SHA256

2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d
SHA512

3e3e5634cb560178ec75b2a74a92a9bbacedf53f046491ebf9e2d7849b1b1ea5327cf9e8e3cc2ffc3938ca12d6ab281ae466b4446c2b338fa35976ef6f5b83c4
SSDEEP

24576:6H4G8P8VYqjxxT6qZk1rFrXc0lLF5HskwGpLF2:1G8P8VcrlcwLXPpL8

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

041f11543edf5591a8fb7b0037e3d115.exe

description	pid	Process	procid_target
PID 4068 set thread context of 4048	4068	041f11543edf5591a8fb7b0037e3d115.exe	86

Modifies registry class 10 IoCs

Processes:

wermgr.exe

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\axlbntonuiya\93275439 = e7e064ab5f53945686d2e42569b5d94826b98ac245b3c6e58cea2fc02fd199fd124687697c27294536dc0d435e0457e33aca90295ad035957818284b89573711df6a8b2f2a02d428a62a690daba312034db79ad4d4e3c506c2cba48c7aa00422bf1dc1cf2868e2698c06999756bd7d4f3c	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\axlbntonuiya	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\axlbntonuiya\82241e8 = 066067306c50c32fa765107543078900ad60d793038c6d4d2822695b20591c1541fba1b4946d8cc53b81a6a3061c5f0fb11a4ebbbf676aaa2e6b271d717e0d8f8aec1b8fb0f60bd361b2219ccf77c527964bdde4594985440104cc236a986b97cd80ea268cdfb61284198bf0374cdb395b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\axlbntonuiya\8c684f12 = 67752a19d10e75651f82d9f810aca57f81fbb094a210d84a01c76338e711bd47ba0c3d98ffc0c4bab35d3102ef3459a9e51b7e7faddc36b96978f9180df0fa74cac4522edb7133ee29e78ee076f73830fbbca011aef9662eb998db7055ed16fc0a69a617b977e2d39a9f28a463a68933e28693bb19d6b3b14c1d129e0aca59a93f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\axlbntonuiya\5f8d54a7 = 84cad4f2e2b4bb3c1219bca62de33a82e1cf7eafeca869036514df97ca0dffec9b7e41e4e85f14e50caf0b5c091f4f7963b7023245aef90a7087db2244046bec4a31e3aa7321b25b7ecff5b06ec5f41c74	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\axlbntonuiya\92a009be = 26bf613a7d02d018b1329a309208a371e55ad9189d9b03bf8cf3767a7f25a472550aecd627777de5f2d7f376b07e297fa7daafc9fcb9bdf6b0bafc71232ecc1176	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\axlbntonuiya\9a51c6f = 05dd1b1fab095bb85e5f492240007b4c53d591ed7fca9afa2bbd633b5052b41e4983832c10de5449cfe01e3fb94ff0e41a779cb63647b9e9ff372fd54d3e09966cda4fc49446514a8bbfc2570e99837caa	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\axlbntonuiya\82241e8 = 66f341fa199ea78e15b11d0a975c41543b25384884143e1718e868a8ced0a41cb3f047a049780b2331731bdf55463495ccce9300c5127a82cf6e53f5efefc8430839ffe89eb4beb932428347d1eb761f6e5a1553463ff906bd7b0a79386189592eb4ed74f7d96d2f820bd71ede97def05e1d500080b651ba32caa36d310082c378	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\axlbntonuiya\5e0a0920 = 6606ac4f3fa74c38a4bd1a76999364b5f979fbe25db0eaea721289c12252c471243ff3c4706ff151486e117a3561b5ba13de60b9c0d79f4a67ad5aadead47cc9555164da5b4cb5a5a7d38d67a31accee8af5889729ea6436c44a7e7dd468e324a9853f2a0b8625530e20f5d24720e34609080cf03a75f319c8ee2fcacf0b1d42f5	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\axlbntonuiya\40c24f8c = 8755d8259f8ec8ee525aee99376df1767ec127c372028b520ac264261d11b9a3679c55f13035352e1259744ebb96959ed79e74151af2389349e6176b59501020bef36788eda487f56563d3d9066bfdab9a3b73ffa4d8723a7279353ee7258ad24037c1c6cb12dddbe3b13629ded89b2bf6	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

041f11543edf5591a8fb7b0037e3d115.exewermgr.exe

pid	Process
4048	041f11543edf5591a8fb7b0037e3d115.exe
4048	041f11543edf5591a8fb7b0037e3d115.exe
4048	041f11543edf5591a8fb7b0037e3d115.exe
4048	041f11543edf5591a8fb7b0037e3d115.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe
844	wermgr.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

041f11543edf5591a8fb7b0037e3d115.exe041f11543edf5591a8fb7b0037e3d115.exe

description	pid	Process	procid_target
PID 4068 wrote to memory of 4048	4068	041f11543edf5591a8fb7b0037e3d115.exe	86
PID 4068 wrote to memory of 4048	4068	041f11543edf5591a8fb7b0037e3d115.exe	86
PID 4068 wrote to memory of 4048	4068	041f11543edf5591a8fb7b0037e3d115.exe	86
PID 4068 wrote to memory of 4048	4068	041f11543edf5591a8fb7b0037e3d115.exe	86
PID 4068 wrote to memory of 4048	4068	041f11543edf5591a8fb7b0037e3d115.exe	86
PID 4068 wrote to memory of 4048	4068	041f11543edf5591a8fb7b0037e3d115.exe	86
PID 4068 wrote to memory of 4048	4068	041f11543edf5591a8fb7b0037e3d115.exe	86
PID 4068 wrote to memory of 4048	4068	041f11543edf5591a8fb7b0037e3d115.exe	86
PID 4048 wrote to memory of 844	4048	041f11543edf5591a8fb7b0037e3d115.exe	92
PID 4048 wrote to memory of 844	4048	041f11543edf5591a8fb7b0037e3d115.exe	92
PID 4048 wrote to memory of 844	4048	041f11543edf5591a8fb7b0037e3d115.exe	92
PID 4048 wrote to memory of 844	4048	041f11543edf5591a8fb7b0037e3d115.exe	92
PID 4048 wrote to memory of 844	4048	041f11543edf5591a8fb7b0037e3d115.exe	92

C:\Users\Admin\AppData\Local\Temp\041f11543edf5591a8fb7b0037e3d115.exe
"C:\Users\Admin\AppData\Local\Temp\041f11543edf5591a8fb7b0037e3d115.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Users\Admin\AppData\Local\Temp\041f11543edf5591a8fb7b0037e3d115.exe
  "C:\Users\Admin\AppData\Local\Temp\041f11543edf5591a8fb7b0037e3d115.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Windows\System32\wermgr.exe
    C:\Windows\System32\wermgr.exe
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:844

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/844-16-0x0000029F32C20000-0x0000029F32C22000-memory.dmp

Filesize
8KB

Download
memory/844-43-0x0000029F32BF0000-0x0000029F32C20000-memory.dmp

Filesize
192KB

Download
memory/844-41-0x0000029F32BF0000-0x0000029F32C20000-memory.dmp

Filesize
192KB

Download
memory/844-40-0x0000029F32BF0000-0x0000029F32C20000-memory.dmp

Filesize
192KB

Download
memory/844-39-0x0000029F32BF0000-0x0000029F32C20000-memory.dmp

Filesize
192KB

Download
memory/844-37-0x0000029F32BF0000-0x0000029F32C20000-memory.dmp

Filesize
192KB

Download
memory/844-38-0x0000029F32BF0000-0x0000029F32C20000-memory.dmp

Filesize
192KB

Download
memory/844-24-0x0000029F32BF0000-0x0000029F32C20000-memory.dmp

Filesize
192KB

Download
memory/844-25-0x0000029F32BF0000-0x0000029F32C20000-memory.dmp

Filesize
192KB

Download
memory/844-27-0x0000029F32BF0000-0x0000029F32C20000-memory.dmp

Filesize
192KB

Download
memory/844-17-0x0000029F32BF0000-0x0000029F32C20000-memory.dmp

Filesize
192KB

Download
memory/4048-14-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4048-12-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4048-13-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4048-0-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4048-7-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4048-15-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4048-11-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4048-23-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4048-26-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4048-6-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4048-9-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4048-1-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4048-8-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4048-5-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4048-3-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4068-4-0x0000000002060000-0x00000000020B3000-memory.dmp

Filesize
332KB

Download
memory/4068-10-0x0000000002060000-0x00000000020B3000-memory.dmp

Filesize
332KB

Download
memory/4068-2-0x0000000001FC0000-0x000000000200E000-memory.dmp

Filesize
312KB

Download