dea547d6a7660525d307a70934d8ef989f4d24f9511d5634f37e79ec79cf7f02

Analysis

max time kernel
144s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20/03/2024, 01:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dea547d6a7660525d307a70934d8ef989f4d24f9511d5634f37e79ec79cf7f02.exe
Size

175KB
MD5

c8e84fd291de9d4cd5ee46ceaa16c328
SHA1

3c7a180a9cea75eaf1e9847ac0f90886a5d035ce
SHA256

dea547d6a7660525d307a70934d8ef989f4d24f9511d5634f37e79ec79cf7f02
SHA512

7009f2490455e4ad503c2acfe07366760063341f419ce08dfe7c9c093ab16b88d31226102ea0ddb79a0c38399188ec67e71adcd90d297901f6fcfa300297989d
SSDEEP

3072:7Iyh5eafsDUngyDx93w/gFlMYfr8WLdY5:7IA5yDKCIFlhfr8F

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
676	dea547d6a7660525d307a70934d8ef989f4d24f9511d5634f37e79ec79cf7f02.exe

Executes dropped EXE 1 IoCs

pid	Process
676	dea547d6a7660525d307a70934d8ef989f4d24f9511d5634f37e79ec79cf7f02.exe

Program crash 7 IoCs

pid	pid_target	Process	procid_target
736	4404	WerFault.exe	84
1072	676	WerFault.exe	88
3380	676	WerFault.exe	88
1012	676	WerFault.exe	88
568	676	WerFault.exe	88
2868	676	WerFault.exe	88
1524	676	WerFault.exe	88

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4404	dea547d6a7660525d307a70934d8ef989f4d24f9511d5634f37e79ec79cf7f02.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
676	dea547d6a7660525d307a70934d8ef989f4d24f9511d5634f37e79ec79cf7f02.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4404 wrote to memory of 676	4404	dea547d6a7660525d307a70934d8ef989f4d24f9511d5634f37e79ec79cf7f02.exe	88
PID 4404 wrote to memory of 676	4404	dea547d6a7660525d307a70934d8ef989f4d24f9511d5634f37e79ec79cf7f02.exe	88
PID 4404 wrote to memory of 676	4404	dea547d6a7660525d307a70934d8ef989f4d24f9511d5634f37e79ec79cf7f02.exe	88

C:\Users\Admin\AppData\Local\Temp\dea547d6a7660525d307a70934d8ef989f4d24f9511d5634f37e79ec79cf7f02.exe
"C:\Users\Admin\AppData\Local\Temp\dea547d6a7660525d307a70934d8ef989f4d24f9511d5634f37e79ec79cf7f02.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 384
  2⤵
  - Program crash
  PID:736
- C:\Users\Admin\AppData\Local\Temp\dea547d6a7660525d307a70934d8ef989f4d24f9511d5634f37e79ec79cf7f02.exe
  C:\Users\Admin\AppData\Local\Temp\dea547d6a7660525d307a70934d8ef989f4d24f9511d5634f37e79ec79cf7f02.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 352
    3⤵
    - Program crash
    PID:1072
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 772
    3⤵
    - Program crash
    PID:3380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 812
    3⤵
    - Program crash
    PID:1012
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 776
    3⤵
    - Program crash
    PID:568
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 780
    3⤵
    - Program crash
    PID:2868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 812
    3⤵
    - Program crash
    PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4404 -ip 4404
1⤵
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 676 -ip 676
1⤵
PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 676 -ip 676
1⤵
PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 676 -ip 676
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 676 -ip 676
1⤵
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 676 -ip 676
1⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 676 -ip 676
1⤵
PID:2284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dea547d6a7660525d307a70934d8ef989f4d24f9511d5634f37e79ec79cf7f02.exe

Filesize
175KB

MD5
abe8970b697c47a49ef88445b79a777d

SHA1
3114ae5bba4aef59f51ef8dbf2fa1a5e96d90252

SHA256
faf147db6f1a2b795d6094e3b1e28a6f7f8419a6ff6f5cd027551222bcb2cfd7

SHA512
c25f51ffcbaff817658cc05bd22274c9d6e73ee2fed12ec3696a5e1218cc594054a77b6abe88c3ef759ae411d592320ed20e38e9bec65a096f782c9c60b419fd

Download Submit
memory/676-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/676-8-0x00000000014D0000-0x0000000001503000-memory.dmp

Filesize
204KB

Download
memory/676-9-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4404-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-6-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download