24d679d78a767fd7d1000a18c34858f969bc1d1e07e62efa3c003586606e4687

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24d679d78a767fd7d1000a18c34858f969bc1d1e07e62efa3c003586606e4687.exe
Size

192KB
MD5

b067f51fb68aeef97310ecb28494eb30
SHA1

e02f7ce5ed5778ae0df670b9a114d6c2c60373a1
SHA256

24d679d78a767fd7d1000a18c34858f969bc1d1e07e62efa3c003586606e4687
SHA512

a3c748979c35fc419b697c961b8a1d04ccdd6e41ef5af53ba6db77554e102e6fd523a714d2fe29980e0de224b7b58151a9b158f1dd582486e3f86b11eebed35c
SSDEEP

3072:baCd9Hchiv7m9OlD+t1SelA1CoHb3rNqvpPewXhCw3BDh:e49Gijm9OlDoPlA1CoN6Ywx53BDh

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3668	24d679d78a767fd7d1000a18c34858f969bc1d1e07e62efa3c003586606e4687.exe

Executes dropped EXE 1 IoCs

pid	Process
3668	24d679d78a767fd7d1000a18c34858f969bc1d1e07e62efa3c003586606e4687.exe

Program crash 7 IoCs

pid	pid_target	Process	procid_target
4236	4848	WerFault.exe	79
2180	3668	WerFault.exe	86
1788	3668	WerFault.exe	86
5088	3668	WerFault.exe	86
1688	3668	WerFault.exe	86
2608	3668	WerFault.exe	86
724	3668	WerFault.exe	86

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4848	24d679d78a767fd7d1000a18c34858f969bc1d1e07e62efa3c003586606e4687.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3668	24d679d78a767fd7d1000a18c34858f969bc1d1e07e62efa3c003586606e4687.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 3668	4848	24d679d78a767fd7d1000a18c34858f969bc1d1e07e62efa3c003586606e4687.exe	86
PID 4848 wrote to memory of 3668	4848	24d679d78a767fd7d1000a18c34858f969bc1d1e07e62efa3c003586606e4687.exe	86
PID 4848 wrote to memory of 3668	4848	24d679d78a767fd7d1000a18c34858f969bc1d1e07e62efa3c003586606e4687.exe	86

C:\Users\Admin\AppData\Local\Temp\24d679d78a767fd7d1000a18c34858f969bc1d1e07e62efa3c003586606e4687.exe
"C:\Users\Admin\AppData\Local\Temp\24d679d78a767fd7d1000a18c34858f969bc1d1e07e62efa3c003586606e4687.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 356
  2⤵
  - Program crash
  PID:4236
- C:\Users\Admin\AppData\Local\Temp\24d679d78a767fd7d1000a18c34858f969bc1d1e07e62efa3c003586606e4687.exe
  C:\Users\Admin\AppData\Local\Temp\24d679d78a767fd7d1000a18c34858f969bc1d1e07e62efa3c003586606e4687.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 364
    3⤵
    - Program crash
    PID:2180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 768
    3⤵
    - Program crash
    PID:1788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 808
    3⤵
    - Program crash
    PID:5088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 816
    3⤵
    - Program crash
    PID:1688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 544
    3⤵
    - Program crash
    PID:2608
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 776
    3⤵
    - Program crash
    PID:724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4848 -ip 4848
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3668 -ip 3668
1⤵
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3668 -ip 3668
1⤵
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3668 -ip 3668
1⤵
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3668 -ip 3668
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3668 -ip 3668
1⤵
PID:2580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3668 -ip 3668
1⤵
PID:5036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\24d679d78a767fd7d1000a18c34858f969bc1d1e07e62efa3c003586606e4687.exe

Filesize
192KB

MD5
75aaac8da44c113b1492c6972fe8f2fd

SHA1
70df9b27e20cc6d772365cc8cccb13eb0c6b2600

SHA256
28aaa261c370eac22916ff1ab795f62f7e6c2a3f5faa73c0af99c3b839a27c38

SHA512
ba6f810f6fe42707df812b36dd5e1a35fee9e7315985b5fc3c69ec52915b879bfe8670004fb32e4b0f760ab75226cb89d6853e79093aac3f148fd36a5cc44abb

Download Submit
memory/3668-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3668-8-0x00000000001A0000-0x00000000001DC000-memory.dmp

Filesize
240KB

Download
memory/3668-9-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4848-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4848-6-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download