de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d

General

Target

de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
Size

1.3MB
MD5

d92e29d88405e9a0047557d3f0e7cd69
SHA1

865dc31980298f951f5229c0526d784b531649a8
SHA256

de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d
SHA512

b777608922c9d946c1d712d905095e97ecdc5164e37d366be6fe46f4132a8bb186d55a5592624ccad1ba2d4359b8a57233024d897f0a45670b51049d2faa42f9
SSDEEP

24576:QAHnh+eWsN3skA4RV1Hom2KXMmHa3ju0NlfVJojr5:Hh+ZkldoPK8Ya3S0rVm

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4108 2388 WerFault.exe de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe

pid	pid_target	process	target process
4108	2388	WerFault.exe	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exede33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exede33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exede33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe

pid	process
1244	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
1692	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
5104	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
1368	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exede33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exede33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exede33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exede33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe

pid	process
1244	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
1244	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
1692	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
1692	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
5104	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
5104	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
1368	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
1368	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
2388	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
2388	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe

Suspicious use of SendNotifyMessage 10 IoCs

Processes:

de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exede33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exede33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exede33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exede33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe

pid	process
1244	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
1244	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
1692	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
1692	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
5104	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
5104	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
1368	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
1368	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
2388	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
2388	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exede33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exede33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exede33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exede33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe

description	pid	process	target process
PID 1244 wrote to memory of 4672	1244	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe	RegSvcs.exe
PID 1244 wrote to memory of 4672	1244	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe	RegSvcs.exe
PID 1244 wrote to memory of 4672	1244	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe	RegSvcs.exe
PID 1244 wrote to memory of 1692	1244	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
PID 1244 wrote to memory of 1692	1244	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
PID 1244 wrote to memory of 1692	1244	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
PID 1692 wrote to memory of 2084	1692	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe	RegSvcs.exe
PID 1692 wrote to memory of 2084	1692	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe	RegSvcs.exe
PID 1692 wrote to memory of 2084	1692	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe	RegSvcs.exe
PID 1692 wrote to memory of 5104	1692	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
PID 1692 wrote to memory of 5104	1692	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
PID 1692 wrote to memory of 5104	1692	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
PID 5104 wrote to memory of 232	5104	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe	RegSvcs.exe
PID 5104 wrote to memory of 232	5104	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe	RegSvcs.exe
PID 5104 wrote to memory of 232	5104	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe	RegSvcs.exe
PID 5104 wrote to memory of 1368	5104	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
PID 5104 wrote to memory of 1368	5104	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
PID 5104 wrote to memory of 1368	5104	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
PID 1368 wrote to memory of 3888	1368	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe	RegSvcs.exe
PID 1368 wrote to memory of 3888	1368	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe	RegSvcs.exe
PID 1368 wrote to memory of 3888	1368	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe	RegSvcs.exe
PID 1368 wrote to memory of 2388	1368	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
PID 1368 wrote to memory of 2388	1368	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
PID 1368 wrote to memory of 2388	1368	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
PID 2388 wrote to memory of 4584	2388	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe	RegSvcs.exe
PID 2388 wrote to memory of 4584	2388	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe	RegSvcs.exe
PID 2388 wrote to memory of 4584	2388	de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
"C:\Users\Admin\AppData\Local\Temp\de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe"
2⤵
PID:4672

C:\Users\Admin\AppData\Local\Temp\de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
"C:\Users\Admin\AppData\Local\Temp\de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe"
2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe"
3⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
"C:\Users\Admin\AppData\Local\Temp\de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe"
3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe"
4⤵
PID:232

C:\Users\Admin\AppData\Local\Temp\de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
"C:\Users\Admin\AppData\Local\Temp\de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe"
4⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe"
5⤵
PID:3888

C:\Users\Admin\AppData\Local\Temp\de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe
"C:\Users\Admin\AppData\Local\Temp\de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe"
5⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\de33e5936f21cdc596ea54216b8c373a2acfed9b3527b31109d8c4e9bc1d288d.exe"
6⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 692
6⤵
- Program crash
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2388 -ip 2388
1⤵
PID:3672

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut4362.tmp
Filesize
260KB

MD5
0a6111d1e45ffec0da56421bbd01868e

SHA1
4fb95dfe4d3c70a752368bba81560f34245b80df

SHA256
9a1f659718ea98726ff09927b2d0a51625aeeefcbe254cb66a3d7c7322ea9bf5

SHA512
0907c64b329bb826c6f1eeb529ed42fdedc33ad51bf3e4cbfdfa25ffce0508bde9744f7a76919ff1d6a3d117a73718b16baa150b55c243237e34716ac4b4ed31

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut4372.tmp
Filesize
9KB

MD5
986734a937ab70caf1582c467b68d44f

SHA1
e0a4c33aca89dac6a6d8ecf102e3790c72e2cbe7

SHA256
2ff3fb2f962bd73a86b895717917fe3291b8233a8953c1efa7b0e205de1bb040

SHA512
b4d6f3638986863947494ca62f4dee45887abeb275165a3a53a2104fe81cc88b00b69140301dd0b54c73b18d36ddbcac31fbd7c72d0f4d07a819ec8f4718e4bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\intersentimental
Filesize
28KB

MD5
b96a63109dcd5b8f76009ef724b4788b

SHA1
4c8f12cd90e18269e563bcb3f1f72c37669b295d

SHA256
34cbceaa8f8a300110d600555b3ec805bde1587fbbce6c058b68515fe4abbb5a

SHA512
3847d3328e8a6e5c1a0545c434ed493c991e1b27fdd5d90dd100bbcabf577e5814239388c2db7edfff49168017fa1e2ad4ed5444f9a9d975c23eeaf490b1a2eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\iodization
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iodization
Filesize
261KB

MD5
dcfb177df109cc7a8cf4866e5929a94f

SHA1
29c7f11b8b769175e02333859d3f105a52176618

SHA256
560e29f0ab598f195553acc8c73ec008fafead5dc32e4c64b8d4d808774530bb

SHA512
75c3cb7f86c7aef165a5cb38e36075ff331111da958900b9b3471076a96db16089290dfd0c9f647a19b0d3fa35b6c60698e97f5dcea164b5c4584273d02662b4

Download Submit
memory/1244-10-0x0000000000F80000-0x0000000000F84000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads