11f851fa543e54d5a7c676c21f51564605447decf1d66953f37f9a73d7b86391

Analysis

max time kernel
132s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 00:34

Target

11f851fa543e54d5a7c676c21f51564605447decf1d66953f37f9a73d7b86391.exe
Size

38KB
MD5

05182d7aef2ad887312c1f5ce615b4a2
SHA1

65f71e3f5daf170b25f5a8b571877af85327416c
SHA256

11f851fa543e54d5a7c676c21f51564605447decf1d66953f37f9a73d7b86391
SHA512

905fa4f2c7502d77e746c4a6ce21e83a691219b0a604b2c2d61d5c76831094c3d2f11f8b20a1d3f6344394ff76789b520d0a58e0f5ff38ca94f84bfb534f3235
SSDEEP

192:0E8Fa3LlVJBOrf/EC1Gt7LwHaWsvTl2eKJeIJj2BEc+OoBIQAlJbu2HFviFegiy0:0E8wHJBOTKssvTlxKQIx2OcayNl7hIMn

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
1532	loder.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\loder.exe	11f851fa543e54d5a7c676c21f51564605447decf1d66953f37f9a73d7b86391.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 688 set thread context of 1532	688	11f851fa543e54d5a7c676c21f51564605447decf1d66953f37f9a73d7b86391.exe	81

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
688	11f851fa543e54d5a7c676c21f51564605447decf1d66953f37f9a73d7b86391.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 688 wrote to memory of 1532	688	11f851fa543e54d5a7c676c21f51564605447decf1d66953f37f9a73d7b86391.exe	81
PID 688 wrote to memory of 1532	688	11f851fa543e54d5a7c676c21f51564605447decf1d66953f37f9a73d7b86391.exe	81
PID 688 wrote to memory of 1532	688	11f851fa543e54d5a7c676c21f51564605447decf1d66953f37f9a73d7b86391.exe	81
PID 688 wrote to memory of 1532	688	11f851fa543e54d5a7c676c21f51564605447decf1d66953f37f9a73d7b86391.exe	81
PID 688 wrote to memory of 1532	688	11f851fa543e54d5a7c676c21f51564605447decf1d66953f37f9a73d7b86391.exe	81
PID 688 wrote to memory of 1532	688	11f851fa543e54d5a7c676c21f51564605447decf1d66953f37f9a73d7b86391.exe	81
PID 688 wrote to memory of 1532	688	11f851fa543e54d5a7c676c21f51564605447decf1d66953f37f9a73d7b86391.exe	81

C:\Users\Admin\AppData\Local\Temp\11f851fa543e54d5a7c676c21f51564605447decf1d66953f37f9a73d7b86391.exe
"C:\Users\Admin\AppData\Local\Temp\11f851fa543e54d5a7c676c21f51564605447decf1d66953f37f9a73d7b86391.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:688
- C:\Windows\SysWOW64\loder.exe
  C:\Windows\system32\loder.exe
  2⤵
  - Executes dropped EXE
  PID:1532

C:\Windows\SysWOW64\loder.exe

Filesize
16KB

MD5
6f727b6337ffd958805954adcfa6f918

SHA1
fc804b417fd54f96f597150160f2313b06c29a29

SHA256
0596a35e5d54d43cdde4f2f00d1de367f8b5c04bfa01f2f9e0038394c529303f

SHA512
e665de3aa7148f151078d41004b4aa1aad3f513323133fefd9d2745a57ec9d086d82b1c1fe3475f9aa7ea185ac05cf4e9f19cd08c28e75def728e3839890894d

Download Submit
C:\Windows\SysWOW64\loder.exe

Filesize
16KB

MD5
6f727b6337ffd958805954adcfa6f918

SHA1
fc804b417fd54f96f597150160f2313b06c29a29

SHA256
0596a35e5d54d43cdde4f2f00d1de367f8b5c04bfa01f2f9e0038394c529303f

SHA512
e665de3aa7148f151078d41004b4aa1aad3f513323133fefd9d2745a57ec9d086d82b1c1fe3475f9aa7ea185ac05cf4e9f19cd08c28e75def728e3839890894d

Download Submit
memory/1532-135-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1532-136-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1532-137-0x0000000000400200-0x0000000000400400-memory.dmp

Filesize
512B

Download