Analysis

  • max time kernel
    146s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-07-2024 18:39

General

  • Target

    036e19f0bedf8ccd4403759aef053130N.exe

  • Size

    68KB

  • MD5

    036e19f0bedf8ccd4403759aef053130

  • SHA1

    244fdc88a1c999ccaea4eb8f74be3101fdc0395e

  • SHA256

    ac454fa278ee26a72d6720bac89bd4624d0e611afa1dae421a290454dc3848b3

  • SHA512

    97c43c97fd8a89aa7d8ade1b9f98878b2015e09f8a4bbb48fc80efdb6a43e60cba542004e6e38e08db44f81a2ad30b1b3eb04dd73c7925992ea8b7db53344257

  • SSDEEP

    768:9waGd7Lw/nrrxDL/GOv2/w6HSa0fYSPNZsxRXQ1d2yg/QmWKHZyiVlaW4OHZ0Em:947urp3v23HSa0AMNyfQ1d2y4Z4P

Score
3/10

Malware Config

Signatures

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2520
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      PID:3288
      • C:\Users\Admin\AppData\Local\Temp\036e19f0bedf8ccd4403759aef053130N.exe
        "C:\Users\Admin\AppData\Local\Temp\036e19f0bedf8ccd4403759aef053130N.exe"
        2⤵
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4140
        • C:\Users\Admin\AppData\Local\Temp\036e19f0bedf8ccd4403759aef053130N.exe
          "C:\Users\Admin\AppData\Local\Temp\036e19f0bedf8ccd4403759aef053130N.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:672
          • C:\Windows\SysWOW64\winver.exe
            winver
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:2648
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 636
              5⤵
              • Program crash
              PID:3040
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2648 -ip 2648
      1⤵
        PID:3512

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/672-5-0x0000000000400000-0x0000000000404A00-memory.dmp
        Filesize

        18KB

      • memory/672-4-0x0000000000400000-0x0000000000405000-memory.dmp
        Filesize

        20KB

      • memory/2520-14-0x0000000000D40000-0x0000000000D47000-memory.dmp
        Filesize

        28KB

      • memory/2520-15-0x0000000000D40000-0x0000000000D47000-memory.dmp
        Filesize

        28KB

      • memory/2648-11-0x0000000000C20000-0x0000000000C32000-memory.dmp
        Filesize

        72KB

      • memory/2648-10-0x0000000000C21000-0x0000000000C22000-memory.dmp
        Filesize

        4KB

      • memory/2648-7-0x00000000009E0000-0x00000000009E7000-memory.dmp
        Filesize

        28KB

      • memory/2648-16-0x00000000009E0000-0x00000000009E7000-memory.dmp
        Filesize

        28KB

      • memory/3288-6-0x0000000000B60000-0x0000000000B67000-memory.dmp
        Filesize

        28KB

      • memory/3288-9-0x0000000000B60000-0x0000000000B67000-memory.dmp
        Filesize

        28KB

      • memory/3288-12-0x00007FFD85EED000-0x00007FFD85EEE000-memory.dmp
        Filesize

        4KB

      • memory/4140-2-0x0000000002080000-0x0000000002086000-memory.dmp
        Filesize

        24KB

      • memory/4140-3-0x0000000002080000-0x0000000002086000-memory.dmp
        Filesize

        24KB