4f823370e872c90a7aad7d1e434c33ed8c149f908710130ed05544c868a13c1a

Analysis

max time kernel
141s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cab8eebf044b1985bdbde318a854b7bd.exe
Size

1.8MB
MD5

cab8eebf044b1985bdbde318a854b7bd
SHA1

04ac6f94e031ea84ecdc8c6fda35259f81ca342c
SHA256

4f823370e872c90a7aad7d1e434c33ed8c149f908710130ed05544c868a13c1a
SHA512

f91fc67db25f274ba8d4a4203017729561a87b0c71a03ed5f4fe4722d22b0f725e3455b5adead1d0cf7794d3831241b79c8fe3d5e2ec274cd537a83af06a8719
SSDEEP

49152:Hwj425vOYx6ffj425vOJb1j425vOYx6ffj425vOH:H4nEYx6jnEJbFnEYx6jnEH

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
772	cab8eebf044b1985bdbde318a854b7bd.exe

Executes dropped EXE 1 IoCs

pid	Process
772	cab8eebf044b1985bdbde318a854b7bd.exe

Program crash 7 IoCs

pid	pid_target	Process	procid_target
1276	5028	WerFault.exe	84
2808	772	WerFault.exe	88
1188	772	WerFault.exe	88
4556	772	WerFault.exe	88
3180	772	WerFault.exe	88
4184	772	WerFault.exe	88
1768	772	WerFault.exe	88

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5028	cab8eebf044b1985bdbde318a854b7bd.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
772	cab8eebf044b1985bdbde318a854b7bd.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 772	5028	cab8eebf044b1985bdbde318a854b7bd.exe	88
PID 5028 wrote to memory of 772	5028	cab8eebf044b1985bdbde318a854b7bd.exe	88
PID 5028 wrote to memory of 772	5028	cab8eebf044b1985bdbde318a854b7bd.exe	88

C:\Users\Admin\AppData\Local\Temp\cab8eebf044b1985bdbde318a854b7bd.exe
"C:\Users\Admin\AppData\Local\Temp\cab8eebf044b1985bdbde318a854b7bd.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 384
  2⤵
  - Program crash
  PID:1276
- C:\Users\Admin\AppData\Local\Temp\cab8eebf044b1985bdbde318a854b7bd.exe
  C:\Users\Admin\AppData\Local\Temp\cab8eebf044b1985bdbde318a854b7bd.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:772
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 352
    3⤵
    - Program crash
    PID:2808
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 768
    3⤵
    - Program crash
    PID:1188
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 812
    3⤵
    - Program crash
    PID:4556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 776
    3⤵
    - Program crash
    PID:3180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 820
    3⤵
    - Program crash
    PID:4184
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 784
    3⤵
    - Program crash
    PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5028 -ip 5028
1⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 772 -ip 772
1⤵
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 772 -ip 772
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 772 -ip 772
1⤵
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 772 -ip 772
1⤵
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 772 -ip 772
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 772 -ip 772
1⤵
PID:4124

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cab8eebf044b1985bdbde318a854b7bd.exe

Filesize
1.8MB

MD5
fd6198ca3ecdf806899a22de6784b977

SHA1
60538b3a3d01f1059a6a58c04c6f275a938ed6d6

SHA256
6d0a17d324772e0ff73af7b84befdd71e0937fcc25d3ee69e7a05d9552174637

SHA512
df6bb6b6c35aacb18780c44ed67d82bcc4f084caa00fe22a343390556025ec1b1f72cb5474cd1268699f9560345e349bd5906bf391c7ee15a1f17112cbc4c4c4

Download Submit
memory/772-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/772-8-0x0000000003D70000-0x0000000003DA5000-memory.dmp

Filesize
212KB

Download
memory/772-9-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5028-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5028-6-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download