d18fc730b89f645e6ddb13c7c6d54041ac8b1d2a6677502ef792f8e74988e3d7

Analysis

max time kernel
148s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2024, 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d18fc730b89f645e6ddb13c7c6d54041ac8b1d2a6677502ef792f8e74988e3d7.exe
Size

197KB
MD5

b9ed244d0ae3dc5000c6fb1640e0066b
SHA1

5be79bbfa43132c81aee7a097fd20f46d537c9c6
SHA256

d18fc730b89f645e6ddb13c7c6d54041ac8b1d2a6677502ef792f8e74988e3d7
SHA512

68dd935f443a86ea6cb85030532af67aa3b8eae26c1c88027b8e63c2c0155bd592a3309e4794e19dc1875fa691df93369eeae13125f08419be504035df616689
SSDEEP

3072:0fAZeNa3xriqJ/HTCA2xWhGBIW4qQyiU4RlNayavQUOTxcD4gcUP0+VY9kWG8H6v:0fAD/lhy+bNHzTuHPCyGH6Y6l

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2716	d18fc730b89f645e6ddb13c7c6d54041ac8b1d2a6677502ef792f8e74988e3d7.exe

Executes dropped EXE 1 IoCs

pid	Process
2716	d18fc730b89f645e6ddb13c7c6d54041ac8b1d2a6677502ef792f8e74988e3d7.exe

Program crash 7 IoCs

pid	pid_target	Process	procid_target
4080	4236	WerFault.exe	83
5064	2716	WerFault.exe	89
1160	2716	WerFault.exe	89
4884	2716	WerFault.exe	89
3056	2716	WerFault.exe	89
2800	2716	WerFault.exe	89
2824	2716	WerFault.exe	89

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4236	d18fc730b89f645e6ddb13c7c6d54041ac8b1d2a6677502ef792f8e74988e3d7.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2716	d18fc730b89f645e6ddb13c7c6d54041ac8b1d2a6677502ef792f8e74988e3d7.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4236 wrote to memory of 2716	4236	d18fc730b89f645e6ddb13c7c6d54041ac8b1d2a6677502ef792f8e74988e3d7.exe	89
PID 4236 wrote to memory of 2716	4236	d18fc730b89f645e6ddb13c7c6d54041ac8b1d2a6677502ef792f8e74988e3d7.exe	89
PID 4236 wrote to memory of 2716	4236	d18fc730b89f645e6ddb13c7c6d54041ac8b1d2a6677502ef792f8e74988e3d7.exe	89

C:\Users\Admin\AppData\Local\Temp\d18fc730b89f645e6ddb13c7c6d54041ac8b1d2a6677502ef792f8e74988e3d7.exe
"C:\Users\Admin\AppData\Local\Temp\d18fc730b89f645e6ddb13c7c6d54041ac8b1d2a6677502ef792f8e74988e3d7.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 384
  2⤵
  - Program crash
  PID:4080
- C:\Users\Admin\AppData\Local\Temp\d18fc730b89f645e6ddb13c7c6d54041ac8b1d2a6677502ef792f8e74988e3d7.exe
  C:\Users\Admin\AppData\Local\Temp\d18fc730b89f645e6ddb13c7c6d54041ac8b1d2a6677502ef792f8e74988e3d7.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 368
    3⤵
    - Program crash
    PID:5064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 768
    3⤵
    - Program crash
    PID:1160
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 788
    3⤵
    - Program crash
    PID:4884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 772
    3⤵
    - Program crash
    PID:3056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 776
    3⤵
    - Program crash
    PID:2800
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 788
    3⤵
    - Program crash
    PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4236 -ip 4236
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2716 -ip 2716
1⤵
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2716 -ip 2716
1⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2716 -ip 2716
1⤵
PID:2608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2716 -ip 2716
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2716 -ip 2716
1⤵
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2716 -ip 2716
1⤵
PID:4372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d18fc730b89f645e6ddb13c7c6d54041ac8b1d2a6677502ef792f8e74988e3d7.exe

Filesize
197KB

MD5
50835c34a69a2317602e22a982228116

SHA1
865af02d94c904d64e50a14fa0de22ae4d83b154

SHA256
5924a42048de08a80d24b1771d9bfc3087d18bd73e0902ede0c878d2e9da0a5f

SHA512
9fe11922203825a7b7b0171378efbad9f2e7afb6b7c67385b11d7650ba482ab005775703cdf6a116cdeb700e3d25365aeb06a1b7865dc7a7ba09fed2303abc1b

Download Submit
memory/2716-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2716-8-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2716-13-0x0000000004D90000-0x0000000004DCF000-memory.dmp

Filesize
252KB

Download
memory/2716-14-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4236-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4236-6-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download