3c836644d302fb352cecd7a7831809694eda0273406fb440e568e74f2cfc5d9c

Analysis

Target

3c836644d302fb352cecd7a7831809694eda0273406fb440e568e74f2cfc5d9c.exe
Size

32KB
MD5

39778e34740c753686317424739cf885
SHA1

5f9bada0cddd099b23148b1ddf5540f4061d4bc2
SHA256

3c836644d302fb352cecd7a7831809694eda0273406fb440e568e74f2cfc5d9c
SHA512

8dd071e4ae3ac48e4ab9e4c4d47ac53595ff49d30de92a002e62251d3d8382e19a498cf3f13bb6209100eb1eca3ea4920e65321dd224e3fe70a3126a23527ce5

Score

8^/10

Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

992 svchost.exe
1696 svchost.exe

pid	process
992	svchost.exe
1696	svchost.exe

Drops file in Windows directory 2 IoCs

Processes:

3c836644d302fb352cecd7a7831809694eda0273406fb440e568e74f2cfc5d9c.exe

description	ioc	process
File created	C:\Windows\svchost.exe	3c836644d302fb352cecd7a7831809694eda0273406fb440e568e74f2cfc5d9c.exe
File opened for modification	C:\Windows\svchost.exe	3c836644d302fb352cecd7a7831809694eda0273406fb440e568e74f2cfc5d9c.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

364 992 WerFault.exe svchost.exe

pid	pid_target	process	target process
364	992	WerFault.exe	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 992 wrote to memory of 1696	992	svchost.exe	svchost.exe
PID 992 wrote to memory of 1696	992	svchost.exe	svchost.exe
PID 992 wrote to memory of 1696	992	svchost.exe	svchost.exe
PID 992 wrote to memory of 1696	992	svchost.exe	svchost.exe
PID 992 wrote to memory of 364	992	svchost.exe	WerFault.exe
PID 992 wrote to memory of 364	992	svchost.exe	WerFault.exe
PID 992 wrote to memory of 364	992	svchost.exe	WerFault.exe
PID 992 wrote to memory of 364	992	svchost.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\3c836644d302fb352cecd7a7831809694eda0273406fb440e568e74f2cfc5d9c.exe
"C:\Users\Admin\AppData\Local\Temp\3c836644d302fb352cecd7a7831809694eda0273406fb440e568e74f2cfc5d9c.exe"
1⤵
- Drops file in Windows directory
PID:1968

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:992
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 172
  2⤵
  - Program crash
  PID:364

C:\Windows\svchost.exe

Filesize
32KB

MD5
39778e34740c753686317424739cf885

SHA1
5f9bada0cddd099b23148b1ddf5540f4061d4bc2

SHA256
3c836644d302fb352cecd7a7831809694eda0273406fb440e568e74f2cfc5d9c

SHA512
8dd071e4ae3ac48e4ab9e4c4d47ac53595ff49d30de92a002e62251d3d8382e19a498cf3f13bb6209100eb1eca3ea4920e65321dd224e3fe70a3126a23527ce5

Download Submit
C:\Windows\svchost.exe

Filesize
32KB

MD5
39778e34740c753686317424739cf885

SHA1
5f9bada0cddd099b23148b1ddf5540f4061d4bc2

SHA256
3c836644d302fb352cecd7a7831809694eda0273406fb440e568e74f2cfc5d9c

SHA512
8dd071e4ae3ac48e4ab9e4c4d47ac53595ff49d30de92a002e62251d3d8382e19a498cf3f13bb6209100eb1eca3ea4920e65321dd224e3fe70a3126a23527ce5

Download Submit
C:\Windows\svchost.exe

Filesize
32KB

MD5
39778e34740c753686317424739cf885

SHA1
5f9bada0cddd099b23148b1ddf5540f4061d4bc2

SHA256
3c836644d302fb352cecd7a7831809694eda0273406fb440e568e74f2cfc5d9c

SHA512
8dd071e4ae3ac48e4ab9e4c4d47ac53595ff49d30de92a002e62251d3d8382e19a498cf3f13bb6209100eb1eca3ea4920e65321dd224e3fe70a3126a23527ce5

Download Submit
memory/364-58-0x0000000000000000-mapping.dmp

Download
memory/1696-56-0x0000000000000000-mapping.dmp

Download