8fb7ada83f8c48c1cc6a111d087c8573565bea8164faafade015093e77593fd0

Analysis

max time kernel
149s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30/04/2024, 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fb7ada83f8c48c1cc6a111d087c8573565bea8164faafade015093e77593fd0.exe
Size

203KB
MD5

8e7ad39c2dffd90ec1193ee872d58c46
SHA1

1cd52032761a1d6fa7949931cbfec578e057003d
SHA256

8fb7ada83f8c48c1cc6a111d087c8573565bea8164faafade015093e77593fd0
SHA512

2a7f582abdddef99e70164bb7f8359df7a25c1fc8efb63567215884d5104e354f2c56af8db2470cde76d170f0d1574f5f8eb54be3ce56492cb78009cbfca8898
SSDEEP

6144:kG8HIAvFc2R6h9QJRnENc0UQnd6gsX2EusZ:kG8HIANc2R6h9QJVENc0igsX2fg

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
5064	8fb7ada83f8c48c1cc6a111d087c8573565bea8164faafade015093e77593fd0.exe

Executes dropped EXE 1 IoCs

pid	Process
5064	8fb7ada83f8c48c1cc6a111d087c8573565bea8164faafade015093e77593fd0.exe

Program crash 7 IoCs

pid	pid_target	Process	procid_target
1492	3240	WerFault.exe	83
4616	5064	WerFault.exe	90
2956	5064	WerFault.exe	90
4512	5064	WerFault.exe	90
1820	5064	WerFault.exe	90
2028	5064	WerFault.exe	90
4552	5064	WerFault.exe	90

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3240	8fb7ada83f8c48c1cc6a111d087c8573565bea8164faafade015093e77593fd0.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
5064	8fb7ada83f8c48c1cc6a111d087c8573565bea8164faafade015093e77593fd0.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 5064	3240	8fb7ada83f8c48c1cc6a111d087c8573565bea8164faafade015093e77593fd0.exe	90
PID 3240 wrote to memory of 5064	3240	8fb7ada83f8c48c1cc6a111d087c8573565bea8164faafade015093e77593fd0.exe	90
PID 3240 wrote to memory of 5064	3240	8fb7ada83f8c48c1cc6a111d087c8573565bea8164faafade015093e77593fd0.exe	90

C:\Users\Admin\AppData\Local\Temp\8fb7ada83f8c48c1cc6a111d087c8573565bea8164faafade015093e77593fd0.exe
"C:\Users\Admin\AppData\Local\Temp\8fb7ada83f8c48c1cc6a111d087c8573565bea8164faafade015093e77593fd0.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 384
  2⤵
  - Program crash
  PID:1492
- C:\Users\Admin\AppData\Local\Temp\8fb7ada83f8c48c1cc6a111d087c8573565bea8164faafade015093e77593fd0.exe
  C:\Users\Admin\AppData\Local\Temp\8fb7ada83f8c48c1cc6a111d087c8573565bea8164faafade015093e77593fd0.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:5064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 352
    3⤵
    - Program crash
    PID:4616
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 768
    3⤵
    - Program crash
    PID:2956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 772
    3⤵
    - Program crash
    PID:4512
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 792
    3⤵
    - Program crash
    PID:1820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 776
    3⤵
    - Program crash
    PID:2028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 760
    3⤵
    - Program crash
    PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3240 -ip 3240
1⤵
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5064 -ip 5064
1⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5064 -ip 5064
1⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5064 -ip 5064
1⤵
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5064 -ip 5064
1⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5064 -ip 5064
1⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5064 -ip 5064
1⤵
PID:3572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8fb7ada83f8c48c1cc6a111d087c8573565bea8164faafade015093e77593fd0.exe

Filesize
203KB

MD5
e5e595c3e9757acf755085773d450742

SHA1
0c45a8609898da330947cc063c093c1ac90dd48b

SHA256
a61b0397cf3d6ee45c9b30d2717f29907470a6da248c77cce1abe0a982f4d994

SHA512
6bc6a0c7bc0473ad865d0d211fa86ce6462dd50f1636d7456ea869435d9acabca363ef8d89adc5ffe2a8ec6f8980e431f781a98535c9d0386c6a388d369a946a

Download Submit
memory/3240-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3240-6-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5064-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5064-8-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5064-13-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download