05934730f5b368da143508a2b630789f3130afcd721a28e5c9b4cc5835e8d5f4

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-01-2024 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7cfaafd16d316bf894b34b3e91e306f9.exe
Size

10.4MB
MD5

7cfaafd16d316bf894b34b3e91e306f9
SHA1

89a857eb1bf3165845f51f6d933de6d78520110d
SHA256

05934730f5b368da143508a2b630789f3130afcd721a28e5c9b4cc5835e8d5f4
SHA512

cc40b01190a762742909f8bbd6dd7a584c5b77bcfc5b671939292b486b122a003940ec6e3c3d9542d78c9beb236717575b5344a0e52834a050371788f7c71c6b
SSDEEP

49152:FXzgD8xgClg/UCgD8xgClgCo/ugD8xgClgoyTIgD8xgClg:M8z+UN8ztaZ8z3Kv8z

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3052	7cfaafd16d316bf894b34b3e91e306f9.exe

Executes dropped EXE 1 IoCs

pid	Process
3052	7cfaafd16d316bf894b34b3e91e306f9.exe

Loads dropped DLL 4 IoCs

pid	Process
2804	7cfaafd16d316bf894b34b3e91e306f9.exe
2768	WerFault.exe
2768	WerFault.exe
2768	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2768	3052	WerFault.exe	29

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2804	7cfaafd16d316bf894b34b3e91e306f9.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3052	7cfaafd16d316bf894b34b3e91e306f9.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 3052	2804	7cfaafd16d316bf894b34b3e91e306f9.exe	29
PID 2804 wrote to memory of 3052	2804	7cfaafd16d316bf894b34b3e91e306f9.exe	29
PID 2804 wrote to memory of 3052	2804	7cfaafd16d316bf894b34b3e91e306f9.exe	29
PID 2804 wrote to memory of 3052	2804	7cfaafd16d316bf894b34b3e91e306f9.exe	29
PID 3052 wrote to memory of 2768	3052	7cfaafd16d316bf894b34b3e91e306f9.exe	30
PID 3052 wrote to memory of 2768	3052	7cfaafd16d316bf894b34b3e91e306f9.exe	30
PID 3052 wrote to memory of 2768	3052	7cfaafd16d316bf894b34b3e91e306f9.exe	30
PID 3052 wrote to memory of 2768	3052	7cfaafd16d316bf894b34b3e91e306f9.exe	30

C:\Users\Admin\AppData\Local\Temp\7cfaafd16d316bf894b34b3e91e306f9.exe
"C:\Users\Admin\AppData\Local\Temp\7cfaafd16d316bf894b34b3e91e306f9.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\AppData\Local\Temp\7cfaafd16d316bf894b34b3e91e306f9.exe
  C:\Users\Admin\AppData\Local\Temp\7cfaafd16d316bf894b34b3e91e306f9.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 144
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7cfaafd16d316bf894b34b3e91e306f9.exe

Filesize
3.8MB

MD5
6b48e0f4dd0f7f8fc3e98dc44c0ed2ff

SHA1
117c948162f6d621229946d5648f47a00ddd3a89

SHA256
af705419c45d2e6eeda75dd4cb645156c691994f3d0b822f19fe28acf75e12ea

SHA512
a57776c4df03abc56c7b5e3e1410a149a61dead13fd59cb8e792e8f22e2eabd3e5456cda00e54ccb02639927aff6e9e5cd34a74437d79921f22e7112de9e3783

Download Submit
\Users\Admin\AppData\Local\Temp\7cfaafd16d316bf894b34b3e91e306f9.exe

Filesize
4.2MB

MD5
4147177d76b1c36bec355c5e95b4e98a

SHA1
e925f6fa17fac9316ecfc503945d48163a592e06

SHA256
5d49d2b69d3c93b130bd09d73eaaddb41549c88a4e6228fb605a95b4d6b93b48

SHA512
c3f604db01b5a189fed5749773bc8b52d3eba3dc5024ab51be46acea9ae38ae9ab52c334004d4357e34e5cee22955b6d8b3265eaca15cf35dcb1ac2ba6b0ed3b

Download Submit
\Users\Admin\AppData\Local\Temp\7cfaafd16d316bf894b34b3e91e306f9.exe

Filesize
3.4MB

MD5
05b7f9875c736c65cb04d88b927f3662

SHA1
58ae952ceb30057e76d80f7f55e0a158aa4f01b7

SHA256
ac4bec12c85087e27060b90bc97dc5431e0fc5bfe478d00929587a6bc3cab6a2

SHA512
f44e04b808b627e61d895228d252c0a27f4d0e1d42e7ec29993bffac22d5491e8ac7fd9686deb65a8ee681afbc1ada0c059c241e42327073212e162e8de210db

Download Submit
\Users\Admin\AppData\Local\Temp\7cfaafd16d316bf894b34b3e91e306f9.exe

Filesize
3.5MB

MD5
a194ba054c499b4493be47f232725d30

SHA1
4e59c021b3e3d92ed16ff388e1361307eaba6dff

SHA256
fe560e4fe729d456ce9e19ac4f748599beddf62f99712e8a0fb6ce95da586ea6

SHA512
77159eb56577ef3c64dd3508652d8090ad80f3f5226f860fee949e5e26935c30107832c6099b98dc532588cbb47bfadac377d79893f5ded2ac0bae136db6c91a

Download Submit
\Users\Admin\AppData\Local\Temp\7cfaafd16d316bf894b34b3e91e306f9.exe

Filesize
3.9MB

MD5
7814f6a89dd3a751262d40d0aa396b96

SHA1
36fe297f7d43abf7102f6b0c8c8bbfce97a26eae

SHA256
f401dc311122d76bfb707f60c1c9b05a3c4ce2093fcae740bd56ee9ea11be4e4

SHA512
8fe018361e08e0f77d7d1e32fc023e862246f08171f85245ecbf6f20c643b51498de14b5a5862655bce2aa5bcdbb5e3dc650fab1e971cc189e29ee9779ec91eb

Download Submit
memory/2804-0-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2804-6-0x0000000002C30000-0x0000000002D15000-memory.dmp

Filesize
916KB

Download
memory/2804-8-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/3052-10-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/3052-11-0x0000000002E00000-0x0000000002EE5000-memory.dmp

Filesize
916KB

Download