a4da7bf70173e249f33d366d3ea3b39b25e1d25bb09d21b8ac5e1f4ef1aa8a0e

Analysis

max time kernel
97s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 13:23

Target

e20cf5c319fe815eb1845556289e56f8c3241019a907adb6f4a33e8dc9ecab59.exe
Size

559KB
MD5

f13f9ca5ede930df8310e504372ca4e5
SHA1

bd28bfbb2472cd7f66be9cfcc11b77c17d08cec7
SHA256

e20cf5c319fe815eb1845556289e56f8c3241019a907adb6f4a33e8dc9ecab59
SHA512

ffe9fc1378bd084fa785c2d9361c32dcc740355d208b425647b3a0e5b02f8040154e60595e62c8100728ed4ded99c1d9ce3c69de3a8ce4226d50be0c5955850a
SSDEEP

12288:CsHzOUNUSB/o5LsI1uwajJ5yvv1l2ihNYL+58d2:ViUmSB/o5d1ubcvvu+502

Score

7^/10

upx

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral2/memory/2128-0-0x0000000000540000-0x0000000000683000-memory.dmp	upx
behavioral2/memory/2128-12-0x0000000000540000-0x0000000000683000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/2128-12-0x0000000000540000-0x0000000000683000-memory.dmp	autoit_exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1576 2128 WerFault.exe e20cf5c319fe815eb1845556289e56f8c3241019a907adb6f4a33e8dc9ecab59.exe

pid	pid_target	process	target process
1576	2128	WerFault.exe	e20cf5c319fe815eb1845556289e56f8c3241019a907adb6f4a33e8dc9ecab59.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

e20cf5c319fe815eb1845556289e56f8c3241019a907adb6f4a33e8dc9ecab59.exe

pid	process
2128	e20cf5c319fe815eb1845556289e56f8c3241019a907adb6f4a33e8dc9ecab59.exe
2128	e20cf5c319fe815eb1845556289e56f8c3241019a907adb6f4a33e8dc9ecab59.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

e20cf5c319fe815eb1845556289e56f8c3241019a907adb6f4a33e8dc9ecab59.exe

pid	process
2128	e20cf5c319fe815eb1845556289e56f8c3241019a907adb6f4a33e8dc9ecab59.exe
2128	e20cf5c319fe815eb1845556289e56f8c3241019a907adb6f4a33e8dc9ecab59.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

e20cf5c319fe815eb1845556289e56f8c3241019a907adb6f4a33e8dc9ecab59.exe

description	pid	process	target process
PID 2128 wrote to memory of 1444	2128	e20cf5c319fe815eb1845556289e56f8c3241019a907adb6f4a33e8dc9ecab59.exe	svchost.exe
PID 2128 wrote to memory of 1444	2128	e20cf5c319fe815eb1845556289e56f8c3241019a907adb6f4a33e8dc9ecab59.exe	svchost.exe
PID 2128 wrote to memory of 1444	2128	e20cf5c319fe815eb1845556289e56f8c3241019a907adb6f4a33e8dc9ecab59.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\e20cf5c319fe815eb1845556289e56f8c3241019a907adb6f4a33e8dc9ecab59.exe
"C:\Users\Admin\AppData\Local\Temp\e20cf5c319fe815eb1845556289e56f8c3241019a907adb6f4a33e8dc9ecab59.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\SysWOW64\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\e20cf5c319fe815eb1845556289e56f8c3241019a907adb6f4a33e8dc9ecab59.exe"
  2⤵
  PID:1444
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 692
  2⤵
  - Program crash
  PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2128 -ip 2128
1⤵
PID:3244

memory/2128-0-0x0000000000540000-0x0000000000683000-memory.dmp

Filesize
1.3MB

Download
memory/2128-11-0x00000000015B0000-0x00000000015B4000-memory.dmp

Filesize
16KB

Download
memory/2128-12-0x0000000000540000-0x0000000000683000-memory.dmp

Filesize
1.3MB

Download