d4591029a252beab0a82f79eba5d8f99d61c4b04f86d82fc9a15f7c75a83e4b3

Analysis

max time kernel
147s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 02:28

Target

d4591029a252beab0a82f79eba5d8f99d61c4b04f86d82fc9a15f7c75a83e4b3.exe
Size

362KB
MD5

780179e4442412ff6c1df3c229b9e89b
SHA1

7d118f34ca68a3dc1e493f2d661a47428e2538e8
SHA256

d4591029a252beab0a82f79eba5d8f99d61c4b04f86d82fc9a15f7c75a83e4b3
SHA512

9727176b95bdee347c168dc14dfc87ef571e49e9b6f7431349e95c12f7622d10079667786883721e4299017dc82976919395a07cf34d48d5e5f0426b06ed81fc
SSDEEP

6144:lK1CLJDFKnsJqlFDS2h9l9mCcydrDxbD2k/JrAV40saiigCUlhu9a6r/V:Y1CLyns8lFGofcW99D2qJrAVQ5zCUlhS

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2252	d4591029a252beab0a82f79eba5d8f99d61c4b04f86d82fc9a15f7c75a83e4b3.exe

Executes dropped EXE 1 IoCs

pid	Process
2252	d4591029a252beab0a82f79eba5d8f99d61c4b04f86d82fc9a15f7c75a83e4b3.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2552	4064	WerFault.exe	87
4032	2252	WerFault.exe	99

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4064	d4591029a252beab0a82f79eba5d8f99d61c4b04f86d82fc9a15f7c75a83e4b3.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2252	d4591029a252beab0a82f79eba5d8f99d61c4b04f86d82fc9a15f7c75a83e4b3.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4064 wrote to memory of 2252	4064	d4591029a252beab0a82f79eba5d8f99d61c4b04f86d82fc9a15f7c75a83e4b3.exe	99
PID 4064 wrote to memory of 2252	4064	d4591029a252beab0a82f79eba5d8f99d61c4b04f86d82fc9a15f7c75a83e4b3.exe	99
PID 4064 wrote to memory of 2252	4064	d4591029a252beab0a82f79eba5d8f99d61c4b04f86d82fc9a15f7c75a83e4b3.exe	99

C:\Users\Admin\AppData\Local\Temp\d4591029a252beab0a82f79eba5d8f99d61c4b04f86d82fc9a15f7c75a83e4b3.exe
"C:\Users\Admin\AppData\Local\Temp\d4591029a252beab0a82f79eba5d8f99d61c4b04f86d82fc9a15f7c75a83e4b3.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 396
  2⤵
  - Program crash
  PID:2552
- C:\Users\Admin\AppData\Local\Temp\d4591029a252beab0a82f79eba5d8f99d61c4b04f86d82fc9a15f7c75a83e4b3.exe
  C:\Users\Admin\AppData\Local\Temp\d4591029a252beab0a82f79eba5d8f99d61c4b04f86d82fc9a15f7c75a83e4b3.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2252
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 364
    3⤵
    - Program crash
    PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4064 -ip 4064
1⤵
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2252 -ip 2252
1⤵
PID:3548

C:\Users\Admin\AppData\Local\Temp\d4591029a252beab0a82f79eba5d8f99d61c4b04f86d82fc9a15f7c75a83e4b3.exe

Filesize
362KB

MD5
8abed877f42768ef37335800dc1f3249

SHA1
ea7a9aa4371295313c2dd22c00d7be0c685168a2

SHA256
2e268bd3f008c513915b1d7453e21332a88d7958bf69b28a4e430505df01c7a5

SHA512
d65363a7e990bf4d6ad4c9b28442f8ae58aa81ad41c39cba46b8cb73097f21c94f55ae3cfa8c0e57d763e59ee543c3cef80c2c6efaddc0a37408e9232352583f

Download Submit
memory/2252-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2252-9-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2252-10-0x0000000003D70000-0x0000000003DB3000-memory.dmp

Filesize
268KB

Download
memory/2252-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4064-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4064-1-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4064-6-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download