0bae357b4083cba2e927e8888b0edc7803a340f858134eeab42415c5c263127d

Analysis

max time kernel
138s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2024 17:25

Target

0bae357b4083cba2e927e8888b0edc7803a340f858134eeab42415c5c263127d.exe
Size

384KB
MD5

29613dd3b1e96be91f815f201493591c
SHA1

ca837f4a53480c222e43f614f860430168952796
SHA256

0bae357b4083cba2e927e8888b0edc7803a340f858134eeab42415c5c263127d
SHA512

ff2b2ea3d9c1a575541754db2353cd24092c798fa402dabc20981b8d87f1563341db23d53bd67ed503710f1653a678f3ff0a37540eefe614f0a837afa491102b
SSDEEP

6144:qv09K6h//mWo+SlASZF9A+vULyyUUok6V40saiigCD4H2hz8QZA:S086hHTo2+6+MVZok6VQ5zCD4V3

Score

7^/10

Deletes itself 1 IoCs

pid	Process
1328	0bae357b4083cba2e927e8888b0edc7803a340f858134eeab42415c5c263127d.exe

Executes dropped EXE 1 IoCs

pid	Process
1328	0bae357b4083cba2e927e8888b0edc7803a340f858134eeab42415c5c263127d.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3636	4084	WerFault.exe	86
536	1328	WerFault.exe	96

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4084	0bae357b4083cba2e927e8888b0edc7803a340f858134eeab42415c5c263127d.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1328	0bae357b4083cba2e927e8888b0edc7803a340f858134eeab42415c5c263127d.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4084 wrote to memory of 1328	4084	0bae357b4083cba2e927e8888b0edc7803a340f858134eeab42415c5c263127d.exe	96
PID 4084 wrote to memory of 1328	4084	0bae357b4083cba2e927e8888b0edc7803a340f858134eeab42415c5c263127d.exe	96
PID 4084 wrote to memory of 1328	4084	0bae357b4083cba2e927e8888b0edc7803a340f858134eeab42415c5c263127d.exe	96

C:\Users\Admin\AppData\Local\Temp\0bae357b4083cba2e927e8888b0edc7803a340f858134eeab42415c5c263127d.exe
"C:\Users\Admin\AppData\Local\Temp\0bae357b4083cba2e927e8888b0edc7803a340f858134eeab42415c5c263127d.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 396
  2⤵
  - Program crash
  PID:3636
- C:\Users\Admin\AppData\Local\Temp\0bae357b4083cba2e927e8888b0edc7803a340f858134eeab42415c5c263127d.exe
  C:\Users\Admin\AppData\Local\Temp\0bae357b4083cba2e927e8888b0edc7803a340f858134eeab42415c5c263127d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 364
    3⤵
    - Program crash
    PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4084 -ip 4084
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1328 -ip 1328
1⤵
PID:3580

C:\Users\Admin\AppData\Local\Temp\0bae357b4083cba2e927e8888b0edc7803a340f858134eeab42415c5c263127d.exe

Filesize
384KB

MD5
7d5e969cffa42110c43eb0ec41e16aef

SHA1
e8659cbd9ab639033b76f651b73a44494b637271

SHA256
c6205beaf26b4e1e0864e283b580010fd09c23bef6b92cc3f1839597e9643a22

SHA512
40b3d981abb330997b41c443b7e804917757ef92a8faf283356292a9133e5836211b7385b12fdfd93555d4772fb585acf75b30ca472f160980f63cf9e309828f

Download Submit
memory/1328-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1328-8-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1328-9-0x0000000001700000-0x0000000001741000-memory.dmp

Filesize
260KB

Download
memory/4084-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4084-6-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download