162e9d736a46e1b17d226ba42bdecffbaeaa5a41c80e81cd2f900557ccb1629d

Analysis

max time kernel
136s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 17:50

Target

162e9d736a46e1b17d226ba42bdecffbaeaa5a41c80e81cd2f900557ccb1629d.exe
Size

1.2MB
MD5

c34caf3c230b4414fc76ed81a1594b75
SHA1

27aa10305f6f956fb6ca01cea32280d044d5e8be
SHA256

162e9d736a46e1b17d226ba42bdecffbaeaa5a41c80e81cd2f900557ccb1629d
SHA512

70d3e68579326d9265fd9590d6e4e7e1297cd29fab38f0edc7dd1a4d2843a5c699dfee66b0fc4016a32aeffdbe08d2afb5a3b2d79ebf9109915471a6699791e7
SSDEEP

12288:cV8le0Bp+iVp4q/VhRoQjlDa/ZSEniF+G4l:neCrEoama/ZSEniF+9

Score

7^/10

Deletes itself 1 IoCs

pid	Process
4420	162e9d736a46e1b17d226ba42bdecffbaeaa5a41c80e81cd2f900557ccb1629d.exe

Executes dropped EXE 1 IoCs

pid	Process
4420	162e9d736a46e1b17d226ba42bdecffbaeaa5a41c80e81cd2f900557ccb1629d.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3588	1548	WerFault.exe	88
1368	4420	WerFault.exe	96
4308	4420	WerFault.exe	96

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1548	162e9d736a46e1b17d226ba42bdecffbaeaa5a41c80e81cd2f900557ccb1629d.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4420	162e9d736a46e1b17d226ba42bdecffbaeaa5a41c80e81cd2f900557ccb1629d.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 4420	1548	162e9d736a46e1b17d226ba42bdecffbaeaa5a41c80e81cd2f900557ccb1629d.exe	96
PID 1548 wrote to memory of 4420	1548	162e9d736a46e1b17d226ba42bdecffbaeaa5a41c80e81cd2f900557ccb1629d.exe	96
PID 1548 wrote to memory of 4420	1548	162e9d736a46e1b17d226ba42bdecffbaeaa5a41c80e81cd2f900557ccb1629d.exe	96

C:\Users\Admin\AppData\Local\Temp\162e9d736a46e1b17d226ba42bdecffbaeaa5a41c80e81cd2f900557ccb1629d.exe
"C:\Users\Admin\AppData\Local\Temp\162e9d736a46e1b17d226ba42bdecffbaeaa5a41c80e81cd2f900557ccb1629d.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 344
  2⤵
  - Program crash
  PID:3588
- C:\Users\Admin\AppData\Local\Temp\162e9d736a46e1b17d226ba42bdecffbaeaa5a41c80e81cd2f900557ccb1629d.exe
  C:\Users\Admin\AppData\Local\Temp\162e9d736a46e1b17d226ba42bdecffbaeaa5a41c80e81cd2f900557ccb1629d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 352
    3⤵
    - Program crash
    PID:1368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 356
    3⤵
    - Program crash
    PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1548 -ip 1548
1⤵
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4420 -ip 4420
1⤵
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4420 -ip 4420
1⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\162e9d736a46e1b17d226ba42bdecffbaeaa5a41c80e81cd2f900557ccb1629d.exe

Filesize
1.2MB

MD5
1021c962d0d4955b0caa91875744eabe

SHA1
5899ccf0a5cb61b6618989d809b1f76fd49b3185

SHA256
a0503bd3c3fae712168d218bd00c0f1574d6280829c9b67089b93b5cfc2d6937

SHA512
ee19c2250d3c48e9f2cb5f1b5fea2945f677051f52354bf3372a67f2d826642ae9fed44e01edd51fc1240e63d83f19a6209fe11f4d315c93525dd181f3ef515a

Download Submit
memory/1548-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1548-6-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4420-7-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4420-8-0x00000000050A0000-0x0000000005188000-memory.dmp

Filesize
928KB

Download
memory/4420-9-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download