Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10-07-2024 21:12
Static task
static1
Behavioral task
behavioral1
Sample
35d4272cc73224ac1516d44f5bed5ef11b18face488baa64e5a51cf8d7616b3b.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
35d4272cc73224ac1516d44f5bed5ef11b18face488baa64e5a51cf8d7616b3b.exe
Resource
win10v2004-20240709-en
General
-
Target
35d4272cc73224ac1516d44f5bed5ef11b18face488baa64e5a51cf8d7616b3b.exe
-
Size
3.2MB
-
MD5
6af0e55e5cc5d8e99dff16094abe2365
-
SHA1
430b213b9e8598f14c0f70da13a91494aa3247de
-
SHA256
35d4272cc73224ac1516d44f5bed5ef11b18face488baa64e5a51cf8d7616b3b
-
SHA512
6414dd0a78854bbcf29b66cc51218ba106a2a065a984b5bf132b3ba56e36e32a3fb28b2ee4908645bd48a87af28cc7b6e4c00065fbeb825da44e50768e453439
-
SSDEEP
49152:6zG1BqCBGJdodXAGRe5CFHRoHgmAZf1Nu:DBIKRAGRe5K2UZ6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
f76c4b6.exepid process 2440 f76c4b6.exe -
Loads dropped DLL 9 IoCs
Processes:
35d4272cc73224ac1516d44f5bed5ef11b18face488baa64e5a51cf8d7616b3b.exeWerFault.exepid process 772 35d4272cc73224ac1516d44f5bed5ef11b18face488baa64e5a51cf8d7616b3b.exe 772 35d4272cc73224ac1516d44f5bed5ef11b18face488baa64e5a51cf8d7616b3b.exe 2664 WerFault.exe 2664 WerFault.exe 2664 WerFault.exe 2664 WerFault.exe 2664 WerFault.exe 2664 WerFault.exe 2664 WerFault.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2664 2440 WerFault.exe f76c4b6.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
35d4272cc73224ac1516d44f5bed5ef11b18face488baa64e5a51cf8d7616b3b.exef76c4b6.exepid process 772 35d4272cc73224ac1516d44f5bed5ef11b18face488baa64e5a51cf8d7616b3b.exe 772 35d4272cc73224ac1516d44f5bed5ef11b18face488baa64e5a51cf8d7616b3b.exe 2440 f76c4b6.exe 2440 f76c4b6.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
35d4272cc73224ac1516d44f5bed5ef11b18face488baa64e5a51cf8d7616b3b.exef76c4b6.exedescription pid process target process PID 772 wrote to memory of 2440 772 35d4272cc73224ac1516d44f5bed5ef11b18face488baa64e5a51cf8d7616b3b.exe f76c4b6.exe PID 772 wrote to memory of 2440 772 35d4272cc73224ac1516d44f5bed5ef11b18face488baa64e5a51cf8d7616b3b.exe f76c4b6.exe PID 772 wrote to memory of 2440 772 35d4272cc73224ac1516d44f5bed5ef11b18face488baa64e5a51cf8d7616b3b.exe f76c4b6.exe PID 772 wrote to memory of 2440 772 35d4272cc73224ac1516d44f5bed5ef11b18face488baa64e5a51cf8d7616b3b.exe f76c4b6.exe PID 2440 wrote to memory of 2664 2440 f76c4b6.exe WerFault.exe PID 2440 wrote to memory of 2664 2440 f76c4b6.exe WerFault.exe PID 2440 wrote to memory of 2664 2440 f76c4b6.exe WerFault.exe PID 2440 wrote to memory of 2664 2440 f76c4b6.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\35d4272cc73224ac1516d44f5bed5ef11b18face488baa64e5a51cf8d7616b3b.exe"C:\Users\Admin\AppData\Local\Temp\35d4272cc73224ac1516d44f5bed5ef11b18face488baa64e5a51cf8d7616b3b.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f76c4b6.exeC:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f76c4b6.exe 2594418612⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 14563⤵
- Loads dropped DLL
- Program crash
PID:2664
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5661f053750d2244d44d140097cec0ca0
SHA1124e783b62fc92c0ccd73579853bb7531b6e787f
SHA256aac73e3f85ff479cbffafdadfb4475b5a56aa30525664f92aa0a79650cc6b3c2
SHA51269b7dddcc33b14b2a9c348368a0be9aeb90937d70e2c451b47831aad8101010103a10bd4217fa02dc73d8f880a952df85412ded15ae24a0dd640dca877dc977f