db3e70b7e5dbcd753f489682db46591fe29456abcef5464a45203b292daf4904

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db3e70b7e5dbcd753f489682db46591fe29456abcef5464a45203b292daf4904.exe
Size

175KB
MD5

5a2890a9cb19ad143b906208ddb2cad3
SHA1

4db0cd609edc407ba543e0f22c8dde54f1dd3396
SHA256

db3e70b7e5dbcd753f489682db46591fe29456abcef5464a45203b292daf4904
SHA512

fe6116845ed83b88169750d70a7549b7871f62583dd0e253dc2aa7b6d334dbf077389ee6e01c24145bd7ac0837374134c9fcfef9799fa65e713d172303483c8e
SSDEEP

3072:xwIEF2TkdPvS25JFY1O/hk+C6PzImq3Zl/CYok0isoq7r0rj5:2bUTkdPK2KAi6qL/CYoX9oq7Yrt

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1912	db3e70b7e5dbcd753f489682db46591fe29456abcef5464a45203b292daf4904.exe

Executes dropped EXE 1 IoCs

pid	Process
1912	db3e70b7e5dbcd753f489682db46591fe29456abcef5464a45203b292daf4904.exe

Program crash 7 IoCs

pid	pid_target	Process	procid_target
2916	4396	WerFault.exe	82
2408	1912	WerFault.exe	87
3468	1912	WerFault.exe	87
2252	1912	WerFault.exe	87
1504	1912	WerFault.exe	87
2372	1912	WerFault.exe	87
5108	1912	WerFault.exe	87

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4396	db3e70b7e5dbcd753f489682db46591fe29456abcef5464a45203b292daf4904.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1912	db3e70b7e5dbcd753f489682db46591fe29456abcef5464a45203b292daf4904.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 1912	4396	db3e70b7e5dbcd753f489682db46591fe29456abcef5464a45203b292daf4904.exe	87
PID 4396 wrote to memory of 1912	4396	db3e70b7e5dbcd753f489682db46591fe29456abcef5464a45203b292daf4904.exe	87
PID 4396 wrote to memory of 1912	4396	db3e70b7e5dbcd753f489682db46591fe29456abcef5464a45203b292daf4904.exe	87

C:\Users\Admin\AppData\Local\Temp\db3e70b7e5dbcd753f489682db46591fe29456abcef5464a45203b292daf4904.exe
"C:\Users\Admin\AppData\Local\Temp\db3e70b7e5dbcd753f489682db46591fe29456abcef5464a45203b292daf4904.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 384
  2⤵
  - Program crash
  PID:2916
- C:\Users\Admin\AppData\Local\Temp\db3e70b7e5dbcd753f489682db46591fe29456abcef5464a45203b292daf4904.exe
  C:\Users\Admin\AppData\Local\Temp\db3e70b7e5dbcd753f489682db46591fe29456abcef5464a45203b292daf4904.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 352
    3⤵
    - Program crash
    PID:2408
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 768
    3⤵
    - Program crash
    PID:3468
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 788
    3⤵
    - Program crash
    PID:2252
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 772
    3⤵
    - Program crash
    PID:1504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 768
    3⤵
    - Program crash
    PID:2372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 776
    3⤵
    - Program crash
    PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4396 -ip 4396
1⤵
PID:908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1912 -ip 1912
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1912 -ip 1912
1⤵
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1912 -ip 1912
1⤵
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1912 -ip 1912
1⤵
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1912 -ip 1912
1⤵
PID:368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1912 -ip 1912
1⤵
PID:2376

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\db3e70b7e5dbcd753f489682db46591fe29456abcef5464a45203b292daf4904.exe

Filesize
175KB

MD5
a1e8bdcabbca939178b48965fd1adda7

SHA1
0e86287cb00a7152aa12263cbd285b13e41592b6

SHA256
71571a09ae4c0a3b64947919e8c58cd009d1a07b3969f0f4c6ad6faa1879f237

SHA512
7d9d5f0432f17435d287bb7b619d6d2a86f2ac6e7bad0e6bdcca1b730372c037f12345391d9305e29ac0d376a8846c0fc39afc9ea53c18b4c57079a8a9219e2c

Download Submit
memory/1912-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-9-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1912-14-0x0000000004D80000-0x0000000004DB3000-memory.dmp

Filesize
204KB

Download
memory/4396-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download