705100854d63bef580bae73c6576135794216298da8a075275bcf5099606b569

Analysis

max time kernel
92s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2024, 21:12

Target

705100854d63bef580bae73c6576135794216298da8a075275bcf5099606b569.exe
Size

209KB
MD5

7b38faa6b1ee4d3a26bc80947f7ca3bf
SHA1

4ae8c5a10a16bd9bb38c7ba9d48ebe417b5fbf3e
SHA256

705100854d63bef580bae73c6576135794216298da8a075275bcf5099606b569
SHA512

20cec09b42dfc5d852cac75a40374845448d27ff47686b980ebbf66a90975d301505d6b0ba6c0e7a691f5a085818611fceeaa327b34c73c13dc1305926278621
SSDEEP

6144:lnw7tPg/EnrM9gbmO4V9vjFTa8SHQAe5+4eNsapJ1VrZtfXp:lnw7tZnigSOYF+86z4e2ap1Vtfp

Score

7^/10

Deletes itself 1 IoCs

pid	Process
4036	705100854d63bef580bae73c6576135794216298da8a075275bcf5099606b569.exe

Executes dropped EXE 1 IoCs

pid	Process
4036	705100854d63bef580bae73c6576135794216298da8a075275bcf5099606b569.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1276	4652	WerFault.exe	83
5024	4036	WerFault.exe	88

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4652	705100854d63bef580bae73c6576135794216298da8a075275bcf5099606b569.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4036	705100854d63bef580bae73c6576135794216298da8a075275bcf5099606b569.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4652 wrote to memory of 4036	4652	705100854d63bef580bae73c6576135794216298da8a075275bcf5099606b569.exe	88
PID 4652 wrote to memory of 4036	4652	705100854d63bef580bae73c6576135794216298da8a075275bcf5099606b569.exe	88
PID 4652 wrote to memory of 4036	4652	705100854d63bef580bae73c6576135794216298da8a075275bcf5099606b569.exe	88

C:\Users\Admin\AppData\Local\Temp\705100854d63bef580bae73c6576135794216298da8a075275bcf5099606b569.exe
"C:\Users\Admin\AppData\Local\Temp\705100854d63bef580bae73c6576135794216298da8a075275bcf5099606b569.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 396
  2⤵
  - Program crash
  PID:1276
- C:\Users\Admin\AppData\Local\Temp\705100854d63bef580bae73c6576135794216298da8a075275bcf5099606b569.exe
  C:\Users\Admin\AppData\Local\Temp\705100854d63bef580bae73c6576135794216298da8a075275bcf5099606b569.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 364
    3⤵
    - Program crash
    PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4652 -ip 4652
1⤵
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4036 -ip 4036
1⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\705100854d63bef580bae73c6576135794216298da8a075275bcf5099606b569.exe

Filesize
209KB

MD5
06b3e60f59d3644ba0d525b695d2b7a3

SHA1
d0d3c0a24c8db482acb67a050e5513cd58abeecb

SHA256
e059bada652c1d39f87a87510bce9d56b342adb1652d6910badefacc93ecc6fd

SHA512
748b23278369501a5016db8fb5b5c9b395f7baef3c093fd4d551ff4095a82e63dea2f299e35667c0c99b97d10ab95db220fc9417c71daa04e71068c76ca02f8f

Download Submit
memory/4036-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4036-8-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4036-13-0x0000000001650000-0x0000000001690000-memory.dmp

Filesize
256KB

Download
memory/4652-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4652-6-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download