9aeebafd714822f5509e1a3bc54b7f9fbba394cd23ef4c0ba4397f8f76fb2e7d

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9aeebafd714822f5509e1a3bc54b7f9fbba394cd23ef4c0ba4397f8f76fb2e7d.exe
Size

197KB
MD5

e12a15bc7d5fc99173d26a5b7eb78c87
SHA1

0b50bfcebcfd03859eceb3ef79a2fb601b171bbd
SHA256

9aeebafd714822f5509e1a3bc54b7f9fbba394cd23ef4c0ba4397f8f76fb2e7d
SHA512

fa298620b2b8b457da2b2fce2ab02953208f36b0e2075b380a5dc41a1db18c64e134c64e89cbd4b64d757a5798ba755c153dfe5cc510223346584a5cfdb43770
SSDEEP

3072:WKb6zjbDi6WsMSkFMsFbfYmA4fZiCii9qLr3+FmTr7L1Y6wkbys0+VY9kWG8H6Ye:WKbkP1EnA4CgybTr/TbysCyGH6Y6l

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4872	9aeebafd714822f5509e1a3bc54b7f9fbba394cd23ef4c0ba4397f8f76fb2e7d.exe

Executes dropped EXE 1 IoCs

pid	Process
4872	9aeebafd714822f5509e1a3bc54b7f9fbba394cd23ef4c0ba4397f8f76fb2e7d.exe

Program crash 7 IoCs

pid	pid_target	Process	procid_target
2352	1452	WerFault.exe	82
2136	4872	WerFault.exe	88
2164	4872	WerFault.exe	88
5072	4872	WerFault.exe	88
712	4872	WerFault.exe	88
1284	4872	WerFault.exe	88
4964	4872	WerFault.exe	88

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1452	9aeebafd714822f5509e1a3bc54b7f9fbba394cd23ef4c0ba4397f8f76fb2e7d.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4872	9aeebafd714822f5509e1a3bc54b7f9fbba394cd23ef4c0ba4397f8f76fb2e7d.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 4872	1452	9aeebafd714822f5509e1a3bc54b7f9fbba394cd23ef4c0ba4397f8f76fb2e7d.exe	88
PID 1452 wrote to memory of 4872	1452	9aeebafd714822f5509e1a3bc54b7f9fbba394cd23ef4c0ba4397f8f76fb2e7d.exe	88
PID 1452 wrote to memory of 4872	1452	9aeebafd714822f5509e1a3bc54b7f9fbba394cd23ef4c0ba4397f8f76fb2e7d.exe	88

C:\Users\Admin\AppData\Local\Temp\9aeebafd714822f5509e1a3bc54b7f9fbba394cd23ef4c0ba4397f8f76fb2e7d.exe
"C:\Users\Admin\AppData\Local\Temp\9aeebafd714822f5509e1a3bc54b7f9fbba394cd23ef4c0ba4397f8f76fb2e7d.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 384
  2⤵
  - Program crash
  PID:2352
- C:\Users\Admin\AppData\Local\Temp\9aeebafd714822f5509e1a3bc54b7f9fbba394cd23ef4c0ba4397f8f76fb2e7d.exe
  C:\Users\Admin\AppData\Local\Temp\9aeebafd714822f5509e1a3bc54b7f9fbba394cd23ef4c0ba4397f8f76fb2e7d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4872
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 360
    3⤵
    - Program crash
    PID:2136
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 772
    3⤵
    - Program crash
    PID:2164
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 792
    3⤵
    - Program crash
    PID:5072
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 780
    3⤵
    - Program crash
    PID:712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 812
    3⤵
    - Program crash
    PID:1284
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 780
    3⤵
    - Program crash
    PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1452 -ip 1452
1⤵
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4872 -ip 4872
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4872 -ip 4872
1⤵
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4872 -ip 4872
1⤵
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4872 -ip 4872
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4872 -ip 4872
1⤵
PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4872 -ip 4872
1⤵
PID:4832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9aeebafd714822f5509e1a3bc54b7f9fbba394cd23ef4c0ba4397f8f76fb2e7d.exe

Filesize
197KB

MD5
b04eb330651e16ee78295a06e7d8996c

SHA1
e7604a05b29ef1c1165e992b313f2feeebbe38cd

SHA256
e8776740df3d7e61f987d7f801a907152f2463c6d3c37b44916a7d9bf12d011f

SHA512
5ad993ca9c96742211a19c2f34c3697b39ea5a3e5ec2cc3b60e22c31612d08770e81e0dc56e9cb7032e5146bda05c5383e01c654f320ff1820a4a6ac4e82039b

Download Submit
memory/1452-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1452-6-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4872-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4872-8-0x00000000014D0000-0x000000000150F000-memory.dmp

Filesize
252KB

Download
memory/4872-9-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4872-14-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download