d9598915932030d8c05825ef9d1d331cbea8cb887aa6570f96d3cec23c311411

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 02:04

Target

d9598915932030d8c05825ef9d1d331cbea8cb887aa6570f96d3cec23c311411.exe
Size

4.8MB
MD5

3d5d6485af7cd75f9cb1284a35e70f97
SHA1

511388b6ef0247a952580e1aaa70e6e7646e35fb
SHA256

d9598915932030d8c05825ef9d1d331cbea8cb887aa6570f96d3cec23c311411
SHA512

c4340c7947b23b83c8acb2a08fdc599ad24fc891d9ac81e6b98b00509a681266d2f390cf7f10123504b4bffdf77a0108cd6249ca7272ac4f4bcd0d106b406e4a
SSDEEP

98304:pSnTPjsgAvcAbjUTRl92dXeYbFhGLhWQDf6Z1a51:pSnT7bAEAbjUvoDhGLAaj

Score

9^/10

Detects executables packed with Dotfuscator 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3028-1-0x0000000000F10000-0x00000000013DE000-memory.dmp	INDICATOR_EXE_Packed_Dotfuscator

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2984 3028 WerFault.exe d9598915932030d8c05825ef9d1d331cbea8cb887aa6570f96d3cec23c311411.exe

pid	pid_target	process	target process
2984	3028	WerFault.exe	d9598915932030d8c05825ef9d1d331cbea8cb887aa6570f96d3cec23c311411.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

d9598915932030d8c05825ef9d1d331cbea8cb887aa6570f96d3cec23c311411.exe

description	pid	process	target process
PID 3028 wrote to memory of 2984	3028	d9598915932030d8c05825ef9d1d331cbea8cb887aa6570f96d3cec23c311411.exe	WerFault.exe
PID 3028 wrote to memory of 2984	3028	d9598915932030d8c05825ef9d1d331cbea8cb887aa6570f96d3cec23c311411.exe	WerFault.exe
PID 3028 wrote to memory of 2984	3028	d9598915932030d8c05825ef9d1d331cbea8cb887aa6570f96d3cec23c311411.exe	WerFault.exe
PID 3028 wrote to memory of 2984	3028	d9598915932030d8c05825ef9d1d331cbea8cb887aa6570f96d3cec23c311411.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\d9598915932030d8c05825ef9d1d331cbea8cb887aa6570f96d3cec23c311411.exe
"C:\Users\Admin\AppData\Local\Temp\d9598915932030d8c05825ef9d1d331cbea8cb887aa6570f96d3cec23c311411.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 544
2⤵
- Program crash
PID:2984

memory/3028-0-0x0000000073F9E000-0x0000000073F9F000-memory.dmp

Filesize
4KB

Download
memory/3028-1-0x0000000000F10000-0x00000000013DE000-memory.dmp

Filesize
4.8MB

Download