109f9b78d3eb78e90e9017f5aaae9abab83e06896d33a24fb86f0e599c459d13

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03-02-2024 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ce52a1f3838445866497a6e3fc7eedd.exe
Size

184KB
MD5

8ce52a1f3838445866497a6e3fc7eedd
SHA1

0d94fc7f51d286d172d962abddbc7ae675f46e6d
SHA256

109f9b78d3eb78e90e9017f5aaae9abab83e06896d33a24fb86f0e599c459d13
SHA512

93e4c4d62179d848e92b80408418ec11df73ab35b8e5252e530892d173936ecd2d569306f706013dcc79c7f33ad7655b2aacf5b1e928fc5ab0fae9ea95727db6
SSDEEP

3072:S2LtozE4fYA01OjCdTsWA8FbqtI6ODfIfYExg9jYQNlPFpFl:S2xoT501tdoWA8tQwPNlPFpF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 12 IoCs

pid	Process
1912	Unicorn-35406.exe
2824	Unicorn-34695.exe
2740	Unicorn-37300.exe
3024	Unicorn-28385.exe
848	Unicorn-45079.exe
1584	Unicorn-48452.exe
2224	Unicorn-6768.exe
2032	Unicorn-27547.exe
2060	Unicorn-14547.exe
2240	Unicorn-13836.exe
960	Unicorn-17978.exe
1628	Unicorn-894.exe

Loads dropped DLL 64 IoCs

pid	Process
1964	8ce52a1f3838445866497a6e3fc7eedd.exe
1964	8ce52a1f3838445866497a6e3fc7eedd.exe
1912	Unicorn-35406.exe
1912	Unicorn-35406.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2824	Unicorn-34695.exe
2824	Unicorn-34695.exe
2672	WerFault.exe
2672	WerFault.exe
2672	WerFault.exe
2672	WerFault.exe
2672	WerFault.exe
2672	WerFault.exe
2672	WerFault.exe
2740	Unicorn-37300.exe
2740	Unicorn-37300.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
3024	Unicorn-28385.exe
3024	Unicorn-28385.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
848	Unicorn-45079.exe
848	Unicorn-45079.exe
2140	WerFault.exe
2140	WerFault.exe
2140	WerFault.exe
2140	WerFault.exe
2140	WerFault.exe
2140	WerFault.exe
2140	WerFault.exe
1584	Unicorn-48452.exe
1584	Unicorn-48452.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2224	Unicorn-6768.exe
2224	Unicorn-6768.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe

Program crash 12 IoCs

pid	pid_target	Process	procid_target
2420	1964	WerFault.exe	15
2792	1912	WerFault.exe	28
2672	2824	WerFault.exe	30
2536	2740	WerFault.exe	32
2648	3024	WerFault.exe	34
2140	848	WerFault.exe	36
2480	1584	WerFault.exe	38
2600	2224	WerFault.exe	40
2244	2032	WerFault.exe	42
684	2060	WerFault.exe	44
1620	2240	WerFault.exe	46
2368	960	WerFault.exe	48

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1964	8ce52a1f3838445866497a6e3fc7eedd.exe
1912	Unicorn-35406.exe
2824	Unicorn-34695.exe
2740	Unicorn-37300.exe
3024	Unicorn-28385.exe
848	Unicorn-45079.exe
1584	Unicorn-48452.exe
2224	Unicorn-6768.exe
2032	Unicorn-27547.exe
2060	Unicorn-14547.exe
2240	Unicorn-13836.exe
960	Unicorn-17978.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 1912	1964	8ce52a1f3838445866497a6e3fc7eedd.exe	28
PID 1964 wrote to memory of 1912	1964	8ce52a1f3838445866497a6e3fc7eedd.exe	28
PID 1964 wrote to memory of 1912	1964	8ce52a1f3838445866497a6e3fc7eedd.exe	28
PID 1964 wrote to memory of 1912	1964	8ce52a1f3838445866497a6e3fc7eedd.exe	28
PID 1964 wrote to memory of 2420	1964	8ce52a1f3838445866497a6e3fc7eedd.exe	29
PID 1964 wrote to memory of 2420	1964	8ce52a1f3838445866497a6e3fc7eedd.exe	29
PID 1964 wrote to memory of 2420	1964	8ce52a1f3838445866497a6e3fc7eedd.exe	29
PID 1964 wrote to memory of 2420	1964	8ce52a1f3838445866497a6e3fc7eedd.exe	29
PID 1912 wrote to memory of 2824	1912	Unicorn-35406.exe	30
PID 1912 wrote to memory of 2824	1912	Unicorn-35406.exe	30
PID 1912 wrote to memory of 2824	1912	Unicorn-35406.exe	30
PID 1912 wrote to memory of 2824	1912	Unicorn-35406.exe	30
PID 1912 wrote to memory of 2792	1912	Unicorn-35406.exe	31
PID 1912 wrote to memory of 2792	1912	Unicorn-35406.exe	31
PID 1912 wrote to memory of 2792	1912	Unicorn-35406.exe	31
PID 1912 wrote to memory of 2792	1912	Unicorn-35406.exe	31
PID 2824 wrote to memory of 2740	2824	Unicorn-34695.exe	32
PID 2824 wrote to memory of 2740	2824	Unicorn-34695.exe	32
PID 2824 wrote to memory of 2740	2824	Unicorn-34695.exe	32
PID 2824 wrote to memory of 2740	2824	Unicorn-34695.exe	32
PID 2824 wrote to memory of 2672	2824	Unicorn-34695.exe	33
PID 2824 wrote to memory of 2672	2824	Unicorn-34695.exe	33
PID 2824 wrote to memory of 2672	2824	Unicorn-34695.exe	33
PID 2824 wrote to memory of 2672	2824	Unicorn-34695.exe	33
PID 2740 wrote to memory of 3024	2740	Unicorn-37300.exe	34
PID 2740 wrote to memory of 3024	2740	Unicorn-37300.exe	34
PID 2740 wrote to memory of 3024	2740	Unicorn-37300.exe	34
PID 2740 wrote to memory of 3024	2740	Unicorn-37300.exe	34
PID 2740 wrote to memory of 2536	2740	Unicorn-37300.exe	35
PID 2740 wrote to memory of 2536	2740	Unicorn-37300.exe	35
PID 2740 wrote to memory of 2536	2740	Unicorn-37300.exe	35
PID 2740 wrote to memory of 2536	2740	Unicorn-37300.exe	35
PID 3024 wrote to memory of 848	3024	Unicorn-28385.exe	36
PID 3024 wrote to memory of 848	3024	Unicorn-28385.exe	36
PID 3024 wrote to memory of 848	3024	Unicorn-28385.exe	36
PID 3024 wrote to memory of 848	3024	Unicorn-28385.exe	36
PID 3024 wrote to memory of 2648	3024	Unicorn-28385.exe	37
PID 3024 wrote to memory of 2648	3024	Unicorn-28385.exe	37
PID 3024 wrote to memory of 2648	3024	Unicorn-28385.exe	37
PID 3024 wrote to memory of 2648	3024	Unicorn-28385.exe	37
PID 848 wrote to memory of 1584	848	Unicorn-45079.exe	38
PID 848 wrote to memory of 1584	848	Unicorn-45079.exe	38
PID 848 wrote to memory of 1584	848	Unicorn-45079.exe	38
PID 848 wrote to memory of 1584	848	Unicorn-45079.exe	38
PID 848 wrote to memory of 2140	848	Unicorn-45079.exe	39
PID 848 wrote to memory of 2140	848	Unicorn-45079.exe	39
PID 848 wrote to memory of 2140	848	Unicorn-45079.exe	39
PID 848 wrote to memory of 2140	848	Unicorn-45079.exe	39
PID 1584 wrote to memory of 2224	1584	Unicorn-48452.exe	40
PID 1584 wrote to memory of 2224	1584	Unicorn-48452.exe	40
PID 1584 wrote to memory of 2224	1584	Unicorn-48452.exe	40
PID 1584 wrote to memory of 2224	1584	Unicorn-48452.exe	40
PID 1584 wrote to memory of 2480	1584	Unicorn-48452.exe	41
PID 1584 wrote to memory of 2480	1584	Unicorn-48452.exe	41
PID 1584 wrote to memory of 2480	1584	Unicorn-48452.exe	41
PID 1584 wrote to memory of 2480	1584	Unicorn-48452.exe	41
PID 2224 wrote to memory of 2032	2224	Unicorn-6768.exe	42
PID 2224 wrote to memory of 2032	2224	Unicorn-6768.exe	42
PID 2224 wrote to memory of 2032	2224	Unicorn-6768.exe	42
PID 2224 wrote to memory of 2032	2224	Unicorn-6768.exe	42
PID 2224 wrote to memory of 2600	2224	Unicorn-6768.exe	43
PID 2224 wrote to memory of 2600	2224	Unicorn-6768.exe	43
PID 2224 wrote to memory of 2600	2224	Unicorn-6768.exe	43
PID 2224 wrote to memory of 2600	2224	Unicorn-6768.exe	43

C:\Users\Admin\AppData\Local\Temp\8ce52a1f3838445866497a6e3fc7eedd.exe
"C:\Users\Admin\AppData\Local\Temp\8ce52a1f3838445866497a6e3fc7eedd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\Unicorn-35406.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-35406.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-34695.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-34695.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-37300.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-37300.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-28385.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-28385.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3024
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-45079.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-45079.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48452.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-48452.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6768.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6768.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27547.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-27547.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14547.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-14547.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13836.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-13836.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17978.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-17978.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-894.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-894.exe
        13⤵
        Executes dropped EXE
        
        PID:1628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 236
        13⤵
        Program crash
        
        PID:2368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 236
        12⤵
        Program crash
        
        PID:1620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 236
        11⤵
        Program crash
        
        PID:684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 236
        10⤵
        Program crash
        
        PID:2244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 236
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:2600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 236
        8⤵
        Loads dropped DLL
        Program crash
        
        PID:2480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 236
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2140
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 236
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2648
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 236
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2536
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 236
      4⤵
      Loads dropped DLL
      Program crash
      PID:2672
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 236
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 236
  2⤵
  - Program crash
  PID:2420

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Unicorn-28385.exe

Filesize
184KB

MD5
87f6f86309c9e08e779445758af427de

SHA1
3ea1ae836f9d230935dc39fe7755fa9a78297701

SHA256
989a4ff1431f19ad69e44eef3d059b633e414bfe6e671d3afd38bcd19e98cc90

SHA512
7b1bc9f5848d586078755ae33c0f1cee012aa3ee03975d4d8298e91251e5ad79f4ed69fd15738c275b0aa58c7c2b65bd61efef0cd1ce152665ad84d5a639884d

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-34695.exe

Filesize
184KB

MD5
eeabd654218efc109b21b5d658686f19

SHA1
74cdcb631719a8848f7f8aefc84c72ec2b22f463

SHA256
5aa6042a922abdbb94e0fd50ccaa95a5164c66eccad1043ca5a7717cb7c815d3

SHA512
1959bb2beaaa41eb0de3818ba516145937a066a96accb657797ae6d00a02d2c291f14b4043f4c840b198ed96d8bdfb7b1d563300b5fbddaa6c675ebe563fedc2

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-35406.exe

Filesize
184KB

MD5
ddc4467018c45de0cb30d5158b74dca4

SHA1
973ea48dc7d689adf006702be7587160570be88c

SHA256
46e69b83ac00b3319b0bc0f3055d938e5e9bf3bf63a1ac3b0466e0a58e879c75

SHA512
a2cf2688da361a06d155c37d5c26104f772505b1e1b082980539e296af867eb6cc6cfaecbea723c24b3f246731209224cea1c7842b1f0d11a16875814c3f1c49

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-37300.exe

Filesize
184KB

MD5
7d5f57de12fbd84e900a6eaa9680656d

SHA1
e05e80792f1441a35a3011800de099de9b3ab99d

SHA256
988888bb41e3431031043a5e99cdac3b367037eb6444df8652b634820aad95c3

SHA512
673c82326d5307a15bbcb5364d475838960f6bc28dcfe9f8a6e2f10cd0e3969bc15238de0938b4d1d28216a867cf44c38b17ed1506c87681c0e0b0dffa3d3176

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-45079.exe

Filesize
184KB

MD5
f1dfc39c1128854356b947bcf4a6340a

SHA1
c2b5f9a295b5800f691ff08bf5b1db6efd42f6de

SHA256
aeb8f4fb5b039fb41063b768f22d6179c476316a1c04f1cccec426aba8efb941

SHA512
9ddcd81601b551a7a7411e8058b73f288e820bdb4cec5fa813491f08b182131b489db37531f335f54a2eef1fd0d407ba79290858187aa87199097dfb961a5fb5

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-48452.exe

Filesize
184KB

MD5
01d2fde06939f03e93f3deb29f20cd48

SHA1
cdd3a67b7a20952bff2ee2367c9c280de8d2efb5

SHA256
6b2fb72b8307355f4ea62a873b9ec039e82f0fa3c0206be60b4f496fd31f761e

SHA512
a300e947c119adeaa5be2ac7a266c5074c4da0ad5c224b951f3e9c91fde1231587f2dd90c5f5eca0598ec3410f8270b278c4e1fcd7a6a1a7673392c2f02fc100

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-6768.exe

Filesize
184KB

MD5
f897a25e8ead3c7dbb435a615743bd2e

SHA1
3cec79f28fef6a0a72308cd76b87b1c332b6bd7a

SHA256
0b870d28389534244ff36e93008f7beebd57f16cdeacd284a4c904d1c222e8ff

SHA512
2e09af7641834ebdc3b9f3a64d880fd0308cece3c3086c752b84797483ed2b7c0abc0eaaacbe2775703ce0d200a4772c9226613e333b3998c49e0127ad7e43a8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads