3321b31b6993f573dbd51bb53185112a96382e52bc85d416eb4aa7286fd2cdcd

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 03:20

Target

3321b31b6993f573dbd51bb53185112a96382e52bc85d416eb4aa7286fd2cdcd.exe
Size

218KB
MD5

8819882ccd72c7f0ed91b62b31190310
SHA1

3261680ae8f1763bfedd38c7f0f9e663e2379fe8
SHA256

3321b31b6993f573dbd51bb53185112a96382e52bc85d416eb4aa7286fd2cdcd
SHA512

16b2420e03b7f7603d131e5c6c7440a9d47bf3e8b8ef024354b7110f31c1174c32f97b6ea04288b11ef47e75d112098835d4baa0ac9b9daf103e9fb9a014a519
SSDEEP

3072:AOHujgrlZMqkRAWifFQZVcYNoBoTLMLlmgPebR9LtWYBD7RpmiaoG9QxsM+NAFa:BHkRADf+ZG4MLlaxtX9aLisM+Nea

Score

7^/10

Deletes itself 1 IoCs

pid	Process
5044	3321b31b6993f573dbd51bb53185112a96382e52bc85d416eb4aa7286fd2cdcd.exe

Executes dropped EXE 1 IoCs

pid	Process
5044	3321b31b6993f573dbd51bb53185112a96382e52bc85d416eb4aa7286fd2cdcd.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4380	4808	WerFault.exe	82
2392	5044	WerFault.exe	87

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4808	3321b31b6993f573dbd51bb53185112a96382e52bc85d416eb4aa7286fd2cdcd.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
5044	3321b31b6993f573dbd51bb53185112a96382e52bc85d416eb4aa7286fd2cdcd.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 5044	4808	3321b31b6993f573dbd51bb53185112a96382e52bc85d416eb4aa7286fd2cdcd.exe	87
PID 4808 wrote to memory of 5044	4808	3321b31b6993f573dbd51bb53185112a96382e52bc85d416eb4aa7286fd2cdcd.exe	87
PID 4808 wrote to memory of 5044	4808	3321b31b6993f573dbd51bb53185112a96382e52bc85d416eb4aa7286fd2cdcd.exe	87

C:\Users\Admin\AppData\Local\Temp\3321b31b6993f573dbd51bb53185112a96382e52bc85d416eb4aa7286fd2cdcd.exe
"C:\Users\Admin\AppData\Local\Temp\3321b31b6993f573dbd51bb53185112a96382e52bc85d416eb4aa7286fd2cdcd.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 396
  2⤵
  - Program crash
  PID:4380
- C:\Users\Admin\AppData\Local\Temp\3321b31b6993f573dbd51bb53185112a96382e52bc85d416eb4aa7286fd2cdcd.exe
  C:\Users\Admin\AppData\Local\Temp\3321b31b6993f573dbd51bb53185112a96382e52bc85d416eb4aa7286fd2cdcd.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:5044
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 364
    3⤵
    - Program crash
    PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4808 -ip 4808
1⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5044 -ip 5044
1⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\3321b31b6993f573dbd51bb53185112a96382e52bc85d416eb4aa7286fd2cdcd.exe

Filesize
218KB

MD5
d94ff4cd3c57fd4afc965887015f39cf

SHA1
ae68910bd4e893b33a85892910b24efdf34292a9

SHA256
5daff0d0f549172011a23a729d8e89c448dd19dfd68b52f529426158c38028c6

SHA512
ae8e86497aef09bb8e8304fd3f7bf8e1888432d9fde463eae8a6e675b730df93c583938cbc704327705f3e0a352a7d0f4d6d7ff7c1aa24ad077e580a0b0741c5

Download Submit
memory/4808-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4808-6-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5044-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5044-8-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5044-13-0x00000000015A0000-0x00000000015E2000-memory.dmp

Filesize
264KB

Download