727b8c35708cae6e9bd5b2c99dd8874ced19cf7156ccd87c3349760ecea8f7c8

Analysis

max time kernel
142s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

727b8c35708cae6e9bd5b2c99dd8874ced19cf7156ccd87c3349760ecea8f7c8.exe
Size

425KB
MD5

8cd12dbaea27a1ee9c0290c65da8decc
SHA1

d4ee353a8bdab1a85fee9bc38c78a66e6ced7579
SHA256

727b8c35708cae6e9bd5b2c99dd8874ced19cf7156ccd87c3349760ecea8f7c8
SHA512

fbbf885724a0d5cbedbe164d194564ba9f6f11ceba3127404d745974b53007ed4957d0767fd1f78fb8ab420616878cb963dfb3540eb8d5d0f6c87d8e37f5c9f9
SSDEEP

12288:mOndPNmtg9tVWc1+Lj1f1C+ffZMcQUZn2qhg2kD44zzrGEPVQ:mOnd8tAtVWc1+Lj1f1C+ffZMcQUZn2qv

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3728	727b8c35708cae6e9bd5b2c99dd8874ced19cf7156ccd87c3349760ecea8f7c8.exe

Executes dropped EXE 1 IoCs

pid	Process
3728	727b8c35708cae6e9bd5b2c99dd8874ced19cf7156ccd87c3349760ecea8f7c8.exe

Program crash 7 IoCs

pid	pid_target	Process	procid_target
2992	232	WerFault.exe	82
1572	3728	WerFault.exe	88
4828	3728	WerFault.exe	88
3208	3728	WerFault.exe	88
1924	3728	WerFault.exe	88
4460	3728	WerFault.exe	88
5056	3728	WerFault.exe	88

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
232	727b8c35708cae6e9bd5b2c99dd8874ced19cf7156ccd87c3349760ecea8f7c8.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3728	727b8c35708cae6e9bd5b2c99dd8874ced19cf7156ccd87c3349760ecea8f7c8.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 3728	232	727b8c35708cae6e9bd5b2c99dd8874ced19cf7156ccd87c3349760ecea8f7c8.exe	88
PID 232 wrote to memory of 3728	232	727b8c35708cae6e9bd5b2c99dd8874ced19cf7156ccd87c3349760ecea8f7c8.exe	88
PID 232 wrote to memory of 3728	232	727b8c35708cae6e9bd5b2c99dd8874ced19cf7156ccd87c3349760ecea8f7c8.exe	88

C:\Users\Admin\AppData\Local\Temp\727b8c35708cae6e9bd5b2c99dd8874ced19cf7156ccd87c3349760ecea8f7c8.exe
"C:\Users\Admin\AppData\Local\Temp\727b8c35708cae6e9bd5b2c99dd8874ced19cf7156ccd87c3349760ecea8f7c8.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 384
  2⤵
  - Program crash
  PID:2992
- C:\Users\Admin\AppData\Local\Temp\727b8c35708cae6e9bd5b2c99dd8874ced19cf7156ccd87c3349760ecea8f7c8.exe
  C:\Users\Admin\AppData\Local\Temp\727b8c35708cae6e9bd5b2c99dd8874ced19cf7156ccd87c3349760ecea8f7c8.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 364
    3⤵
    - Program crash
    PID:1572
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 768
    3⤵
    - Program crash
    PID:4828
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 788
    3⤵
    - Program crash
    PID:3208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 804
    3⤵
    - Program crash
    PID:1924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 776
    3⤵
    - Program crash
    PID:4460
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 808
    3⤵
    - Program crash
    PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 232 -ip 232
1⤵
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3728 -ip 3728
1⤵
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3728 -ip 3728
1⤵
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3728 -ip 3728
1⤵
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3728 -ip 3728
1⤵
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3728 -ip 3728
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3728 -ip 3728
1⤵
PID:3512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\727b8c35708cae6e9bd5b2c99dd8874ced19cf7156ccd87c3349760ecea8f7c8.exe

Filesize
425KB

MD5
2ec629627a901a36b0c76a4e1eeaff51

SHA1
8fa37dc0961d756084abfebf05a5a5bdbef510ea

SHA256
a56b02d9375b2f062743fdcef0af45bfc6e6f95c5e6ab2977b2b8d611c8257b6

SHA512
3527f0ac708c5f407e5913cb40a6d77b802927c0d758ab91dc2226772fb68fe7619ec24753bd0ee8700f590a986079662684b55611b5d9e5f8b69eaba5eb0eaf

Download Submit
memory/232-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/232-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-9-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3728-14-0x0000000001510000-0x0000000001543000-memory.dmp

Filesize
204KB

Download