18f822056de3529bc6a064fdbd9bd68d37bd9d2f996dd0c2141693d19fae718f

Analysis

max time kernel
147s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18f822056de3529bc6a064fdbd9bd68d37bd9d2f996dd0c2141693d19fae718f.exe
Size

189KB
MD5

a67b7541f072bcc0870edbeab70a7bfb
SHA1

90e4e4a9cd757b0d43b9b176c4b8706fd0cbfc6b
SHA256

18f822056de3529bc6a064fdbd9bd68d37bd9d2f996dd0c2141693d19fae718f
SHA512

aed657ae8a3fbdd41405e013f15616b8d02268d66991e3a2cf3c6142446049c30c5a601f25d63612a8f1acc7dab86ffc67c7358be9be714bfbb9bbbf62847af5
SSDEEP

3072:3Lpk+NsWEmfEO8r/7QZWCGet13eho7jMIzbrT+cU+hCw3BDR:JtQR7QZdGIOhMVaI53BDR

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4796	18f822056de3529bc6a064fdbd9bd68d37bd9d2f996dd0c2141693d19fae718f.exe

Executes dropped EXE 1 IoCs

pid	Process
4796	18f822056de3529bc6a064fdbd9bd68d37bd9d2f996dd0c2141693d19fae718f.exe

Program crash 7 IoCs

pid	pid_target	Process	procid_target
3312	3652	WerFault.exe	82
4836	4796	WerFault.exe
3680	4796	WerFault.exe	86
2292	4796	WerFault.exe	86
3600	4796	WerFault.exe	86
4456	4796	WerFault.exe	86
4420	4796	WerFault.exe	86

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3652	18f822056de3529bc6a064fdbd9bd68d37bd9d2f996dd0c2141693d19fae718f.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4796	18f822056de3529bc6a064fdbd9bd68d37bd9d2f996dd0c2141693d19fae718f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 4796	3652	18f822056de3529bc6a064fdbd9bd68d37bd9d2f996dd0c2141693d19fae718f.exe	86
PID 3652 wrote to memory of 4796	3652	18f822056de3529bc6a064fdbd9bd68d37bd9d2f996dd0c2141693d19fae718f.exe	86
PID 3652 wrote to memory of 4796	3652	18f822056de3529bc6a064fdbd9bd68d37bd9d2f996dd0c2141693d19fae718f.exe	86

C:\Users\Admin\AppData\Local\Temp\18f822056de3529bc6a064fdbd9bd68d37bd9d2f996dd0c2141693d19fae718f.exe
"C:\Users\Admin\AppData\Local\Temp\18f822056de3529bc6a064fdbd9bd68d37bd9d2f996dd0c2141693d19fae718f.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 384
  2⤵
  - Program crash
  PID:3312
- C:\Users\Admin\AppData\Local\Temp\18f822056de3529bc6a064fdbd9bd68d37bd9d2f996dd0c2141693d19fae718f.exe
  C:\Users\Admin\AppData\Local\Temp\18f822056de3529bc6a064fdbd9bd68d37bd9d2f996dd0c2141693d19fae718f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4796
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 352
    3⤵
    - Program crash
    PID:4836
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 740
    3⤵
    - Program crash
    PID:3680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 772
    3⤵
    - Program crash
    PID:2292
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 776
    3⤵
    - Program crash
    PID:3600
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 772
    3⤵
    - Program crash
    PID:4456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 812
    3⤵
    - Program crash
    PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3652 -ip 3652
1⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4796 -ip 4796
1⤵
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4796 -ip 4796
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4796 -ip 4796
1⤵
PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4796 -ip 4796
1⤵
PID:244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4796 -ip 4796
1⤵
PID:952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4796 -ip 4796
1⤵
PID:4248

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\18f822056de3529bc6a064fdbd9bd68d37bd9d2f996dd0c2141693d19fae718f.exe

Filesize
189KB

MD5
41e7e785d783391ab61c939e4e9e6408

SHA1
35c96a2009b63fdb12628dedf27d240b7f90a517

SHA256
4d2cf3a056c27b39919ab02d544d88ac871ec4aa3a8694e39e0560179dec3704

SHA512
173b2a46609abb5841d7898431883f2c1623bd1e38879631ee6223cd07bb21975b0cdc61781becbe1ede6a58985c1d225253e8466f5888ac487c4400545d5630

Download Submit
memory/3652-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3652-6-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4796-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4796-9-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4796-13-0x00000000014B0000-0x00000000014EC000-memory.dmp

Filesize
240KB

Download