e435664f2cefca1153f662887fcb6656772f1f7f56bfb40680686dbf5a6c0d3e

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 19:07

Target

e435664f2cefca1153f662887fcb6656772f1f7f56bfb40680686dbf5a6c0d3e.exe
Size

133KB
MD5

aafef404650287c7c279ff33826186ee
SHA1

925994f9355d7ace89e3482816aade99525b51f3
SHA256

e435664f2cefca1153f662887fcb6656772f1f7f56bfb40680686dbf5a6c0d3e
SHA512

c2466ec91bab2cf714d006d9235c5351ac581b612e114012656ceff198bde6d0a7719e5e9a54a204f1ddaedf311db3608d799ef53bef630bc8b869a4320b1416
SSDEEP

768:X+RFmnbfWDut1vC+bHyBtMLNe28DUMaV9NvSEqf/Z+:ORFyWuq+bHyBtMLX8DUjVzFqM

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
4636	ntldr.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\RCX7C1A.tmp	e435664f2cefca1153f662887fcb6656772f1f7f56bfb40680686dbf5a6c0d3e.exe
File opened for modification	C:\Windows\SysWOW64\ntldr.exe	ntldr.exe
File created	C:\Windows\SysWOW64\ntldr.exe	ntldr.exe
File opened for modification	C:\Windows\SysWOW64\ntldr.exe	e435664f2cefca1153f662887fcb6656772f1f7f56bfb40680686dbf5a6c0d3e.exe
File created	C:\Windows\SysWOW64\ntldr.exe	e435664f2cefca1153f662887fcb6656772f1f7f56bfb40680686dbf5a6c0d3e.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2620	4368	WerFault.exe	79
2268	4636	WerFault.exe	80

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 4636	4368	e435664f2cefca1153f662887fcb6656772f1f7f56bfb40680686dbf5a6c0d3e.exe	80
PID 4368 wrote to memory of 4636	4368	e435664f2cefca1153f662887fcb6656772f1f7f56bfb40680686dbf5a6c0d3e.exe	80
PID 4368 wrote to memory of 4636	4368	e435664f2cefca1153f662887fcb6656772f1f7f56bfb40680686dbf5a6c0d3e.exe	80

C:\Users\Admin\AppData\Local\Temp\e435664f2cefca1153f662887fcb6656772f1f7f56bfb40680686dbf5a6c0d3e.exe
"C:\Users\Admin\AppData\Local\Temp\e435664f2cefca1153f662887fcb6656772f1f7f56bfb40680686dbf5a6c0d3e.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Windows\SysWOW64\ntldr.exe
  "C:\Windows\system32\ntldr.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 376
    3⤵
    - Program crash
    PID:2268
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 408
  2⤵
  - Program crash
  PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 4368 -ip 4368
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4636 -ip 4636
1⤵
PID:5088

C:\Windows\SysWOW64\ntldr.exe

Filesize
28KB

MD5
80f9290f521afce325d362ee877acf62

SHA1
04b7ba722b02dbd7d0df092cdfca61474537af2f

SHA256
8d2a997f844c4ced9fe35154ea7467e8183f3d2aba6e1532bb60b87820cbedf4

SHA512
27c53cd7b961c836e5d71041803a103fb371e4e26b7ac62d97ecbb0b5a702a689c9159bcf7a050d0256354b582b9a8c4c1aaebc58906e2bcd7e95065aef484be

Download Submit
C:\Windows\SysWOW64\ntldr.exe

Filesize
28KB

MD5
80f9290f521afce325d362ee877acf62

SHA1
04b7ba722b02dbd7d0df092cdfca61474537af2f

SHA256
8d2a997f844c4ced9fe35154ea7467e8183f3d2aba6e1532bb60b87820cbedf4

SHA512
27c53cd7b961c836e5d71041803a103fb371e4e26b7ac62d97ecbb0b5a702a689c9159bcf7a050d0256354b582b9a8c4c1aaebc58906e2bcd7e95065aef484be

Download Submit