a4b0af47a4499419ce2cef7cb0e694e62ca706083fb96147b3fef59c93eafded

Analysis

max time kernel
28s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 10:15

Target

a4b0af47a4499419ce2cef7cb0e694e62ca706083fb96147b3fef59c93eafded.exe
Size

360KB
MD5

35776f816fbb814c179e7b3f56f4945f
SHA1

a9df07cc091772cbe3861088bf78fd231f7aee8e
SHA256

a4b0af47a4499419ce2cef7cb0e694e62ca706083fb96147b3fef59c93eafded
SHA512

df2104672b7ec7667d90ca16dc957cede78234be9f4d2aad71f5fbf32379023c32f6d0da53614107d5360de72383eb78bc974af90b75f8d7e3516e7cf6d16063
SSDEEP

6144:2cIM8URP3T4IZgMo79TY0veNOoNj2IY2VG:0qUCPfjtY20

Score

5^/10

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sysprep\$dpx$.tmp\job.xml	wusa.exe
File opened for modification	C:\Windows\SysWOW64\sysprep\$dpx$.tmp	wusa.exe
File created	C:\Windows\SysWOW64\sysprep\$dpx$.tmp\bd658a2c9e615f4391ac1f82fa6b5e1b.tmp	wusa.exe
File opened for modification	C:\Windows\SysWOW64\sysprep\Cryptbase.dll	wusa.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2008	2040	a4b0af47a4499419ce2cef7cb0e694e62ca706083fb96147b3fef59c93eafded.exe	27
PID 2040 wrote to memory of 2008	2040	a4b0af47a4499419ce2cef7cb0e694e62ca706083fb96147b3fef59c93eafded.exe	27
PID 2040 wrote to memory of 2008	2040	a4b0af47a4499419ce2cef7cb0e694e62ca706083fb96147b3fef59c93eafded.exe	27
PID 2040 wrote to memory of 2008	2040	a4b0af47a4499419ce2cef7cb0e694e62ca706083fb96147b3fef59c93eafded.exe	27
PID 2008 wrote to memory of 1056	2008	cmd.exe	29
PID 2008 wrote to memory of 1056	2008	cmd.exe	29
PID 2008 wrote to memory of 1056	2008	cmd.exe	29
PID 2008 wrote to memory of 1056	2008	cmd.exe	29
PID 2008 wrote to memory of 1056	2008	cmd.exe	29
PID 2008 wrote to memory of 1056	2008	cmd.exe	29
PID 2008 wrote to memory of 1056	2008	cmd.exe	29
PID 2040 wrote to memory of 1044	2040	a4b0af47a4499419ce2cef7cb0e694e62ca706083fb96147b3fef59c93eafded.exe	30
PID 2040 wrote to memory of 1044	2040	a4b0af47a4499419ce2cef7cb0e694e62ca706083fb96147b3fef59c93eafded.exe	30
PID 2040 wrote to memory of 1044	2040	a4b0af47a4499419ce2cef7cb0e694e62ca706083fb96147b3fef59c93eafded.exe	30
PID 2040 wrote to memory of 1044	2040	a4b0af47a4499419ce2cef7cb0e694e62ca706083fb96147b3fef59c93eafded.exe	30

C:\Users\Admin\AppData\Local\Temp\a4b0af47a4499419ce2cef7cb0e694e62ca706083fb96147b3fef59c93eafded.exe
"C:\Users\Admin\AppData\Local\Temp\a4b0af47a4499419ce2cef7cb0e694e62ca706083fb96147b3fef59c93eafded.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c wusa.exe C:\Users\Admin\AppData\Local\Temp\cryptbase.cab /extract:C:\Windows\system32\sysprep\ /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\wusa.exe
    wusa.exe C:\Users\Admin\AppData\Local\Temp\cryptbase.cab /extract:C:\Windows\system32\sysprep\ /quiet
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:1056
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\system32\sysprep\sysprep.exe "C:\Users\Admin\AppData\Local\Temp\a4b0af47a4499419ce2cef7cb0e694e62ca706083fb96147b3fef59c93eafded.exe" "-s -install -bncc"
  2⤵
  PID:1044

C:\Users\Admin\AppData\Local\Temp\cryptbase.cab

Filesize
14KB

MD5
1606904235b488783dcae3b970e0997e

SHA1
bdc2c86df163c2581266a91746de50b2c3890dc6

SHA256
dba7915d224964cf1f7bb0c844c068ec4c106375593b9028e1ba04126d930d75

SHA512
d7cd4f48fed17b175c7907d50962ee76b3c982e438b94fcedf4a22a0198162c7755e63192b010d3f5272e54bab0e790ee2c3959891cd648e748c3c37efde079f

Download Submit
memory/1044-60-0x0000000000000000-mapping.dmp

Download
memory/1056-57-0x0000000000000000-mapping.dmp

Download
memory/2008-56-0x0000000000000000-mapping.dmp

Download
memory/2040-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/2040-55-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2040-61-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download