87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe
Size

628KB
MD5

afe6d7985388013e32ae388a29600ae2
SHA1

f8082260e1591b439fdaf2ccfe3c80ccfe9d8ea6
SHA256

87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329
SHA512

98b7d345a39c755c16ff17f167de868d7b5ab9acba40f9bb9afe34056698809a5591924c9197689fb05062ed8ea68d61a91404c8e879bad4d24e5bb544782c1c
SSDEEP

6144:9qqDLuK1hG/uo0luLBjUX3DPg5trMON1JIIAFwp1I40zL75grM5IEu7h95Pp3qI:AqnuKTo0YSXbg5twsoEa375Z5VgfP

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3856	3636	WerFault.exe	97

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe
1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe
1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe
1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe
1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe
1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe
1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe
1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97
PID 1840 wrote to memory of 3636	1840	87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe	97

C:\Users\Admin\AppData\Local\Temp\87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe
"C:\Users\Admin\AppData\Local\Temp\87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  PID:3636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 12
    3⤵
    - Program crash
    PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 3636 -ip 3636
1⤵
PID:3664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1840-0-0x0000000002300000-0x000000000237B000-memory.dmp

Filesize
492KB

Download
memory/1840-1-0x0000000077252000-0x0000000077253000-memory.dmp

Filesize
4KB

Download
memory/1840-3-0x0000000002300000-0x000000000237B000-memory.dmp

Filesize
492KB

Download