648b42bc697d4e0ce7ccf2b3c8a977aad1416d6558e96e9dd2c543a5233f0205

Analysis

max time kernel
149s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

648b42bc697d4e0ce7ccf2b3c8a977aad1416d6558e96e9dd2c543a5233f0205.exe
Size

192KB
MD5

d25500cd935f5eedb2ab29aca8f08d07
SHA1

e8d72d024adcfd5daae57520c6deee487311b94e
SHA256

648b42bc697d4e0ce7ccf2b3c8a977aad1416d6558e96e9dd2c543a5233f0205
SHA512

2092e0729b7b68054cdd52a09a0e8c0bd99b71cb78ecc596593abb20102f01df22664aacf8e24172c4aa5500eaf4dc21276820fddf103c2c00a0d36d69528860
SSDEEP

3072:YGEKsUfTfds5UZYTsKhK84aOxZAaRWnWVX4KDc0jNNI4gRSsuCZq:8KsUfTfdPuwnaOxZAnkX4CNIDEqZq

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1816	648b42bc697d4e0ce7ccf2b3c8a977aad1416d6558e96e9dd2c543a5233f0205.exe

Executes dropped EXE 1 IoCs

pid	Process
1816	648b42bc697d4e0ce7ccf2b3c8a977aad1416d6558e96e9dd2c543a5233f0205.exe

Program crash 7 IoCs

pid	pid_target	Process	procid_target
1040	3556	WerFault.exe	81
2604	1816	WerFault.exe	87
4592	1816	WerFault.exe	87
1616	1816	WerFault.exe	87
1248	1816	WerFault.exe	87
1920	1816	WerFault.exe	87
2920	1816	WerFault.exe	87

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3556	648b42bc697d4e0ce7ccf2b3c8a977aad1416d6558e96e9dd2c543a5233f0205.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1816	648b42bc697d4e0ce7ccf2b3c8a977aad1416d6558e96e9dd2c543a5233f0205.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3556 wrote to memory of 1816	3556	648b42bc697d4e0ce7ccf2b3c8a977aad1416d6558e96e9dd2c543a5233f0205.exe	87
PID 3556 wrote to memory of 1816	3556	648b42bc697d4e0ce7ccf2b3c8a977aad1416d6558e96e9dd2c543a5233f0205.exe	87
PID 3556 wrote to memory of 1816	3556	648b42bc697d4e0ce7ccf2b3c8a977aad1416d6558e96e9dd2c543a5233f0205.exe	87

C:\Users\Admin\AppData\Local\Temp\648b42bc697d4e0ce7ccf2b3c8a977aad1416d6558e96e9dd2c543a5233f0205.exe
"C:\Users\Admin\AppData\Local\Temp\648b42bc697d4e0ce7ccf2b3c8a977aad1416d6558e96e9dd2c543a5233f0205.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 324
  2⤵
  - Program crash
  PID:1040
- C:\Users\Admin\AppData\Local\Temp\648b42bc697d4e0ce7ccf2b3c8a977aad1416d6558e96e9dd2c543a5233f0205.exe
  C:\Users\Admin\AppData\Local\Temp\648b42bc697d4e0ce7ccf2b3c8a977aad1416d6558e96e9dd2c543a5233f0205.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 352
    3⤵
    - Program crash
    PID:2604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 740
    3⤵
    - Program crash
    PID:4592
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 808
    3⤵
    - Program crash
    PID:1616
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 816
    3⤵
    - Program crash
    PID:1248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 780
    3⤵
    - Program crash
    PID:1920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 744
    3⤵
    - Program crash
    PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3556 -ip 3556
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1816 -ip 1816
1⤵
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1816 -ip 1816
1⤵
PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1816 -ip 1816
1⤵
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1816 -ip 1816
1⤵
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1816 -ip 1816
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1816 -ip 1816
1⤵
PID:2520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\648b42bc697d4e0ce7ccf2b3c8a977aad1416d6558e96e9dd2c543a5233f0205.exe

Filesize
192KB

MD5
fed035431685b147f890cb18d179d576

SHA1
6716882c66b900f15028ae9fd922f4e84eaddcb9

SHA256
92fade4dbae4344f10e84f67091415ab81898ac8fdabf1a21f779d4818a98d07

SHA512
79345f7bab0728f4102b01be1dbbed514bffb3bf81420bc871a864ddbe0844920ee0d28caa0f5d44335d1a6947db632400980c3a3d54fb88b4988a3251f29e73

Download Submit
memory/1816-8-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1816-9-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1816-14-0x00000000014A0000-0x00000000014D8000-memory.dmp

Filesize
224KB

Download
memory/3556-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3556-7-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download