d63e2c3f4ccd7d0048f50e7fb6bac25bb9bb79e21452e552c83f2d98a4fa46ab

Analysis

max time kernel
152s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 17:00

Target

ptu621.exe
Size

5.0MB
MD5

516e4e61cf92a3d6b17ad2c181c2a939
SHA1

3f3f81dea9779a5d9d8478b0386867ccbe17d450
SHA256

3cb1389aa245b496d15d20d25fcefa35f35f85744413205e90caa78f0805902c
SHA512

143e0372ca5ca9c7197d4de69f595fb5b13d517db424331737274b252f16f4cec7490956d08618fcd823f9a9b42e95a7f0439c01a032568722dc864f2b3df71e
SSDEEP

98304:RUxt0mBCcZbMMWl7ZSnSC/Ao4f2uZE+2N3wALB2QviKo8D5yEg9yUPvnoh8dKjn8:uEA7YURz4RZEL3Z2ElcTywrdKj7KNQ

Score

7^/10

upx

Executes dropped EXE 1 IoCs

Processes:

ptu621Srv.exe

pid process

4780 ptu621Srv.exe

pid	process
4780	ptu621Srv.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral2/memory/5112-0-0x0000000000400000-0x0000000000CA5000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\ptu621Srv.exe	upx
behavioral2/memory/4780-4-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4780-5-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/5112-6-0x0000000000400000-0x0000000000CA5000-memory.dmp	upx

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3120 4780 WerFault.exe ptu621Srv.exe
5116 5112 WerFault.exe ptu621.exe

pid	pid_target	process	target process
3120	4780	WerFault.exe	ptu621Srv.exe
5116	5112	WerFault.exe	ptu621.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ptu621.exe

description	pid	process	target process
PID 5112 wrote to memory of 4780	5112	ptu621.exe	ptu621Srv.exe
PID 5112 wrote to memory of 4780	5112	ptu621.exe	ptu621Srv.exe
PID 5112 wrote to memory of 4780	5112	ptu621.exe	ptu621Srv.exe

C:\Users\Admin\AppData\Local\Temp\ptu621.exe
"C:\Users\Admin\AppData\Local\Temp\ptu621.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5112

C:\Users\Admin\AppData\Local\Temp\ptu621Srv.exe
C:\Users\Admin\AppData\Local\Temp\ptu621Srv.exe
2⤵
- Executes dropped EXE
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 280
3⤵
- Program crash
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 560
2⤵
- Program crash
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4780 -ip 4780
1⤵
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 5112 -ip 5112
1⤵
PID:2880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\ptu621Srv.exe
Filesize
74KB

MD5
cb458dd109a10f16c430dee34464cd8f

SHA1
1bc955db0463913cc7d0434c2318c9f2202240e0

SHA256
21aa1977c0d7d0404f97515d87d6f26f3f2c2b01d054be6056d119d33d3856e3

SHA512
5321f11d92150fdb07f94092fa97fe88bd45714237e4ba245b7f5fbfd4425857fa8d242858d4fd038d77ee7644d276dfb63b7403469ddaf1b53879f391c3f490

Download Submit
memory/4780-4-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5112-0-0x0000000000400000-0x0000000000CA5000-memory.dmp

Filesize
8.6MB

Download
memory/5112-6-0x0000000000400000-0x0000000000CA5000-memory.dmp

Filesize
8.6MB

Download