7351d0a0d19a6efb2230bfa6f588b85c0d54a221adde9d74009114fae4e6f1a8 | Triage

Analysis

max time kernel
300s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 09:40

Sharing

Report Analysis Logs

General

Target

CHARLES.exe
Size

1.7MB
MD5

bb1b2455f59fa0a25524b7ec9baff097
SHA1

9fadc578c339425ee59b46b9aae2c1c1472f076c
SHA256

a649c2453c27bdf09b5b92207e2bc8041bcfec24819ed7879959361096d7200f
SHA512

f17aa003e42920e7e5897280369d78e9a91a7cf51ff92eadf00565bd52931d20131d909835d585bbd7812e40f7389b5df4a8029c124c8d5d5f3b318fa207cffe
SSDEEP

49152:NTvC/MTQYxsWR7adX0KD/HqQhPFuWrf1:hjTQYxsWR63iQtFuWrf1

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1440 2300 WerFault.exe CHARLES.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

CHARLES.exe

pid process

2300 CHARLES.exe
2300 CHARLES.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

CHARLES.exe

pid process

2300 CHARLES.exe
2300 CHARLES.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

CHARLES.exe

description	pid	process	target process
PID 2300 wrote to memory of 4268	2300	CHARLES.exe	RegSvcs.exe
PID 2300 wrote to memory of 4268	2300	CHARLES.exe	RegSvcs.exe
PID 2300 wrote to memory of 4268	2300	CHARLES.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\CHARLES.exe
"C:\Users\Admin\AppData\Local\Temp\CHARLES.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\CHARLES.exe"
2⤵
PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 696
2⤵
- Program crash
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 2300 -ip 2300
1⤵
PID:2924

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2300-10-0x0000000000DF0000-0x0000000000DF4000-memory.dmp

Filesize
16KB

Download