245e2e8e3bcb9a3db37d8274bf567402475cb3d176596a509ee305fb1f9b0515

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d217f798e79ee612cbdc11cef1723dfe.exe
Size

320KB
MD5

d217f798e79ee612cbdc11cef1723dfe
SHA1

fff19d72fed7d1d421c1b0d4b6622fec25f81d86
SHA256

245e2e8e3bcb9a3db37d8274bf567402475cb3d176596a509ee305fb1f9b0515
SHA512

fd6dc5b80f0c21a9ad1ffb1e02f5ed5686a81e4b2676597c8bdc22c1f0f775e2a98313a12441c833b7b4a83c468e078f70797f0697b30d41b04f006bf42f90b5
SSDEEP

6144:gIVq8LxO4M5pw1klL7nrUOdki9F6Er53BDu0W7cyqCxSngmMBqfycuPbUl0i5j:PjLxu5K1CDY1gZ53p80npM4dl0s

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2056	d217f798e79ee612cbdc11cef1723dfe.exe

Executes dropped EXE 1 IoCs

pid	Process
2056	d217f798e79ee612cbdc11cef1723dfe.exe

Program crash 7 IoCs

pid	pid_target	Process	procid_target
3840	4768	WerFault.exe	85
4480	2056	WerFault.exe	92
3308	2056	WerFault.exe	92
3744	2056	WerFault.exe	92
1528	2056	WerFault.exe	92
3580	2056	WerFault.exe	92
1372	2056	WerFault.exe	92

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4768	d217f798e79ee612cbdc11cef1723dfe.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2056	d217f798e79ee612cbdc11cef1723dfe.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 2056	4768	d217f798e79ee612cbdc11cef1723dfe.exe	92
PID 4768 wrote to memory of 2056	4768	d217f798e79ee612cbdc11cef1723dfe.exe	92
PID 4768 wrote to memory of 2056	4768	d217f798e79ee612cbdc11cef1723dfe.exe	92

C:\Users\Admin\AppData\Local\Temp\d217f798e79ee612cbdc11cef1723dfe.exe
"C:\Users\Admin\AppData\Local\Temp\d217f798e79ee612cbdc11cef1723dfe.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 384
  2⤵
  - Program crash
  PID:3840
- C:\Users\Admin\AppData\Local\Temp\d217f798e79ee612cbdc11cef1723dfe.exe
  C:\Users\Admin\AppData\Local\Temp\d217f798e79ee612cbdc11cef1723dfe.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 352
    3⤵
    - Program crash
    PID:4480
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 768
    3⤵
    - Program crash
    PID:3308
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 788
    3⤵
    - Program crash
    PID:3744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 776
    3⤵
    - Program crash
    PID:1528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 772
    3⤵
    - Program crash
    PID:3580
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 780
    3⤵
    - Program crash
    PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4768 -ip 4768
1⤵
PID:868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2056 -ip 2056
1⤵
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2056 -ip 2056
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2056 -ip 2056
1⤵
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2056 -ip 2056
1⤵
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2056 -ip 2056
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2056 -ip 2056
1⤵
PID:5000

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d217f798e79ee612cbdc11cef1723dfe.exe

Filesize
320KB

MD5
0a7310510b5bd62941f66ff187aafaf1

SHA1
8faa09362ecab1c6c1345ed86988f8bfca5a2dfa

SHA256
3649d5b744a62b0099448f8f973ba46759d5fb6f79ea0bd451975b7a780ef4e5

SHA512
5731a2da5284c3f84668b7117a79e22df355c682e443d6ee077473646e74f753c72aab5abc865e79b3164ab431955791b0000d8f75085e2a06f0efa019a61665

Download Submit
memory/2056-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2056-8-0x0000000003D80000-0x0000000003DBC000-memory.dmp

Filesize
240KB

Download
memory/2056-9-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4768-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4768-6-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download