0e2c6448911184f4b6b85be71857f5af390ee25f8a249f9fd9f3f504469f70a6

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-03-2024 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e2c6448911184f4b6b85be71857f5af390ee25f8a249f9fd9f3f504469f70a6.exe
Size

416KB
MD5

4194412eaeffab93d6dca73861b6f08e
SHA1

51e9a434ec33fa7049e398b61c5bcb540b4b8506
SHA256

0e2c6448911184f4b6b85be71857f5af390ee25f8a249f9fd9f3f504469f70a6
SHA512

0c76e3b03bac209d8554e89fc1e47c04b5e176fba0ba775ca8a89e5148a2a74ab70bcb6bf2b0cad9a63418ca6e7f71b167710bcaa2d551391da4c2827b174664
SSDEEP

6144:ez+RFme7axaMtWflRgsxYjPjG+MN4Gibu79H0W7cyqCxSngmMBqfycuPbUl0i5ci:ezk5rxCdEjii7j0npM4dl0v5JdE

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1996	0e2c6448911184f4b6b85be71857f5af390ee25f8a249f9fd9f3f504469f70a6.exe

Executes dropped EXE 1 IoCs

pid	Process
1996	0e2c6448911184f4b6b85be71857f5af390ee25f8a249f9fd9f3f504469f70a6.exe

Program crash 7 IoCs

pid	pid_target	Process	procid_target
4888	1032	WerFault.exe	89
1524	1996	WerFault.exe	95
3248	1996	WerFault.exe	95
2936	1996	WerFault.exe	95
812	1996	WerFault.exe	95
2656	1996	WerFault.exe	95
3104	1996	WerFault.exe	95

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1032	0e2c6448911184f4b6b85be71857f5af390ee25f8a249f9fd9f3f504469f70a6.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1996	0e2c6448911184f4b6b85be71857f5af390ee25f8a249f9fd9f3f504469f70a6.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 1996	1032	0e2c6448911184f4b6b85be71857f5af390ee25f8a249f9fd9f3f504469f70a6.exe	95
PID 1032 wrote to memory of 1996	1032	0e2c6448911184f4b6b85be71857f5af390ee25f8a249f9fd9f3f504469f70a6.exe	95
PID 1032 wrote to memory of 1996	1032	0e2c6448911184f4b6b85be71857f5af390ee25f8a249f9fd9f3f504469f70a6.exe	95

C:\Users\Admin\AppData\Local\Temp\0e2c6448911184f4b6b85be71857f5af390ee25f8a249f9fd9f3f504469f70a6.exe
"C:\Users\Admin\AppData\Local\Temp\0e2c6448911184f4b6b85be71857f5af390ee25f8a249f9fd9f3f504469f70a6.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 384
  2⤵
  - Program crash
  PID:4888
- C:\Users\Admin\AppData\Local\Temp\0e2c6448911184f4b6b85be71857f5af390ee25f8a249f9fd9f3f504469f70a6.exe
  C:\Users\Admin\AppData\Local\Temp\0e2c6448911184f4b6b85be71857f5af390ee25f8a249f9fd9f3f504469f70a6.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 352
    3⤵
    - Program crash
    PID:1524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 768
    3⤵
    - Program crash
    PID:3248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 788
    3⤵
    - Program crash
    PID:2936
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 776
    3⤵
    - Program crash
    PID:812
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 780
    3⤵
    - Program crash
    PID:2656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 796
    3⤵
    - Program crash
    PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1032 -ip 1032
1⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1996 -ip 1996
1⤵
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1996 -ip 1996
1⤵
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1996 -ip 1996
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1996 -ip 1996
1⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1996 -ip 1996
1⤵
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1996 -ip 1996
1⤵
PID:2180

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0e2c6448911184f4b6b85be71857f5af390ee25f8a249f9fd9f3f504469f70a6.exe

Filesize
416KB

MD5
ad4b47107f16b492bf17ced59203b595

SHA1
15bf5c82c3d9d29f91aed8ce2de8bf610ced0550

SHA256
12c78b1098a7af3b1ebbbfdc8893ddf96b54cc1420efee02c80df3446cb7285a

SHA512
53fedeb54533edfc635f2baf62f5c6661ad83b706abcf70cab932fd1206a669e939ec60cdc110a2301eca8d2fd138a4d8a9b61f9b3242f8198d8c9abf0ff5a4d

Download Submit
memory/1032-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1032-6-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1996-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1996-8-0x00000000014D0000-0x0000000001511000-memory.dmp

Filesize
260KB

Download
memory/1996-9-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download