f108541ceddf15c47d0b62dfeece9c0351106d8df195aefa91dbd5ebcfb47fa7

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 02:39

Target

f108541ceddf15c47d0b62dfeece9c0351106d8df195aefa91dbd5ebcfb47fa7.exe
Size

33KB
MD5

fd1cf647f6b883dbcacb10e143f32f82
SHA1

6a188609b373583fe3a58e6aacb58e04cee97eab
SHA256

f108541ceddf15c47d0b62dfeece9c0351106d8df195aefa91dbd5ebcfb47fa7
SHA512

bce6ea19e7a095cf7d0ff197372da1876eb9e7272a111620c57b81a21dabd7634393b7f147c62d215741995fef3c605561d0f6a910be4af9040fb29927ec9321
SSDEEP

768:SvA/Hr0o5hoBeT94bdAVGDLCHgqG/gozD2M:SotfoBeTSemLCjGIod

Score

9^/10

Detects executables containing bas64 encoded gzip files 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2372-1-0x000000013FAD0000-0x000000013FADC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

f108541ceddf15c47d0b62dfeece9c0351106d8df195aefa91dbd5ebcfb47fa7.exe

description	pid	process	target process
PID 2372 wrote to memory of 3036	2372	f108541ceddf15c47d0b62dfeece9c0351106d8df195aefa91dbd5ebcfb47fa7.exe	WerFault.exe
PID 2372 wrote to memory of 3036	2372	f108541ceddf15c47d0b62dfeece9c0351106d8df195aefa91dbd5ebcfb47fa7.exe	WerFault.exe
PID 2372 wrote to memory of 3036	2372	f108541ceddf15c47d0b62dfeece9c0351106d8df195aefa91dbd5ebcfb47fa7.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\f108541ceddf15c47d0b62dfeece9c0351106d8df195aefa91dbd5ebcfb47fa7.exe
"C:\Users\Admin\AppData\Local\Temp\f108541ceddf15c47d0b62dfeece9c0351106d8df195aefa91dbd5ebcfb47fa7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2372

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2372 -s 516
2⤵
PID:3036

memory/2372-0-0x000007FEF56B3000-0x000007FEF56B4000-memory.dmp

Filesize
4KB

Download
memory/2372-1-0x000000013FAD0000-0x000000013FADC000-memory.dmp

Filesize
48KB

Download