4f1286e7c2c3f69075486bf0c0082931cca3ab2e72151422cc8528f913d7d465

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2022 23:03

Target

4f1286e7c2c3f69075486bf0c0082931cca3ab2e72151422cc8528f913d7d465.exe
Size

251KB
MD5

00c0534e061a6ab97371fd1313c30609
SHA1

5d01630cbdcd5b7ab27f8b2f2789d7196c89cbd5
SHA256

4f1286e7c2c3f69075486bf0c0082931cca3ab2e72151422cc8528f913d7d465
SHA512

dfc2d2c63b3882226a0739b1c3ad8a2801c345502256cd5f60af0491a8bb55bfd0d4b604f9d654168255dc48964e06cfa3055e537622a5858ac85b68b89107af
SSDEEP

6144:Md89bQe0W3894eETPBx1mLxvL4R98hfxx/I+NunxTTKVe2ZMJS:Md86zWwfGPBx1mLxvL4/o/I+QnZT

Score

8^/10

aspackv2

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

resource	yara_rule
behavioral2/files/0x000a000000022e21-132.dat	aspack_v212_v242
behavioral2/files/0x000a000000022e21-133.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
4712	QQ

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\QQ	4f1286e7c2c3f69075486bf0c0082931cca3ab2e72151422cc8528f913d7d465.exe
File opened for modification	C:\Windows\QQ	4f1286e7c2c3f69075486bf0c0082931cca3ab2e72151422cc8528f913d7d465.exe
File created	C:\Windows\Delete.bat	4f1286e7c2c3f69075486bf0c0082931cca3ab2e72151422cc8528f913d7d465.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1700	5044	WerFault.exe	79
4916	4712	WerFault.exe	82

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4712	QQ

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 1952	5044	4f1286e7c2c3f69075486bf0c0082931cca3ab2e72151422cc8528f913d7d465.exe	85
PID 5044 wrote to memory of 1952	5044	4f1286e7c2c3f69075486bf0c0082931cca3ab2e72151422cc8528f913d7d465.exe	85
PID 5044 wrote to memory of 1952	5044	4f1286e7c2c3f69075486bf0c0082931cca3ab2e72151422cc8528f913d7d465.exe	85

C:\Users\Admin\AppData\Local\Temp\4f1286e7c2c3f69075486bf0c0082931cca3ab2e72151422cc8528f913d7d465.exe
"C:\Users\Admin\AppData\Local\Temp\4f1286e7c2c3f69075486bf0c0082931cca3ab2e72151422cc8528f913d7d465.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 516
  2⤵
  - Program crash
  PID:1700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\Delete.bat
  2⤵
  PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5044 -ip 5044
1⤵
PID:4248

C:\Windows\QQ
C:\Windows\QQ
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:4712
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 516
  2⤵
  - Program crash
  PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4712 -ip 4712
1⤵
PID:4740

C:\Windows\Delete.bat

Filesize
250B

MD5
6430df3f3c69a9b30266d1fc5735bc39

SHA1
2bd2d0f907b52dbf42d555ddc7bf6030ea8c74eb

SHA256
5f18b505d4e35e3d42cef156e53c78789614dab0776264470d99aaafdb273a75

SHA512
fbdb9df9077379be3d72bef8aaa9bfe8d24e7f687a289866bfb0c7029d59e4dae43eb975e3f4cb7e6653df6a2022cd20daa0f7970f5e32bc5d09e2ad7bae581e

Download Submit
C:\Windows\QQ

Filesize
251KB

MD5
00c0534e061a6ab97371fd1313c30609

SHA1
5d01630cbdcd5b7ab27f8b2f2789d7196c89cbd5

SHA256
4f1286e7c2c3f69075486bf0c0082931cca3ab2e72151422cc8528f913d7d465

SHA512
dfc2d2c63b3882226a0739b1c3ad8a2801c345502256cd5f60af0491a8bb55bfd0d4b604f9d654168255dc48964e06cfa3055e537622a5858ac85b68b89107af

Download Submit
C:\Windows\QQ

Filesize
251KB

MD5
00c0534e061a6ab97371fd1313c30609

SHA1
5d01630cbdcd5b7ab27f8b2f2789d7196c89cbd5

SHA256
4f1286e7c2c3f69075486bf0c0082931cca3ab2e72151422cc8528f913d7d465

SHA512
dfc2d2c63b3882226a0739b1c3ad8a2801c345502256cd5f60af0491a8bb55bfd0d4b604f9d654168255dc48964e06cfa3055e537622a5858ac85b68b89107af

Download Submit
memory/1952-134-0x0000000000000000-mapping.dmp

Download