98269dd2176869c275079c1ee3965ffda6b425084fb4051b51ef4c560239d7fb

Analysis

max time kernel
197s
max time network
210s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 12:55

Target

98269dd2176869c275079c1ee3965ffda6b425084fb4051b51ef4c560239d7fb.exe
Size

193KB
MD5

ba3021001d74f430dc9d2156ad62d71a
SHA1

38fa96a4ea0920146ee5d02735c3f9251bb9adcb
SHA256

98269dd2176869c275079c1ee3965ffda6b425084fb4051b51ef4c560239d7fb
SHA512

803b3060ca03a867f3db06a1c0160dd708019adb657e799e03e4119b059c16a3c5e9679b1a94bd2f9cd09c75ef80932758d52c3086b79eab5c70296d7d6fad6a
SSDEEP

6144:FeYl211ReYl211IdwaWB28edeP/deUv80P80Ap8jh:FeYlk3eYlkvpnedeP/deUe1pw

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
2592	ntldr.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntldr.exe	ntldr.exe
File opened for modification	C:\Windows\SysWOW64\ntldr.exe	98269dd2176869c275079c1ee3965ffda6b425084fb4051b51ef4c560239d7fb.exe
File created	C:\Windows\SysWOW64\ntldr.exe	98269dd2176869c275079c1ee3965ffda6b425084fb4051b51ef4c560239d7fb.exe
File opened for modification	C:\Windows\SysWOW64\RCX67C2.tmp	98269dd2176869c275079c1ee3965ffda6b425084fb4051b51ef4c560239d7fb.exe
File opened for modification	C:\Windows\SysWOW64\ntldr.exe	ntldr.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1604	2592	WerFault.exe	84
4808	4364	WerFault.exe	82

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 2592	4364	98269dd2176869c275079c1ee3965ffda6b425084fb4051b51ef4c560239d7fb.exe	84
PID 4364 wrote to memory of 2592	4364	98269dd2176869c275079c1ee3965ffda6b425084fb4051b51ef4c560239d7fb.exe	84
PID 4364 wrote to memory of 2592	4364	98269dd2176869c275079c1ee3965ffda6b425084fb4051b51ef4c560239d7fb.exe	84

C:\Users\Admin\AppData\Local\Temp\98269dd2176869c275079c1ee3965ffda6b425084fb4051b51ef4c560239d7fb.exe
"C:\Users\Admin\AppData\Local\Temp\98269dd2176869c275079c1ee3965ffda6b425084fb4051b51ef4c560239d7fb.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Windows\SysWOW64\ntldr.exe
  "C:\Windows\system32\ntldr.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2592
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 360
    3⤵
    - Program crash
    PID:1604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 368
  2⤵
  - Program crash
  PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2592 -ip 2592
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4364 -ip 4364
1⤵
PID:3744

C:\Windows\SysWOW64\ntldr.exe

Filesize
25KB

MD5
3cae6f8e19e6fc4a9b5e63d363a7793b

SHA1
3828846ba48e61cd35c705636c03850d27cc0f5b

SHA256
f9afcd4da591149653a1788b6cf46e31db4e6e8a3f7c165f6fb5735b84c6309b

SHA512
733649648f5b2741c5eac40b05839f794b0fdcf2e6c910ba5f3e1ebb502618885bb7ec2df0393f80e748a4faace3961fb71bc0f819ed446d534202c6b9cfc9b8

Download Submit
C:\Windows\SysWOW64\ntldr.exe

Filesize
25KB

MD5
3cae6f8e19e6fc4a9b5e63d363a7793b

SHA1
3828846ba48e61cd35c705636c03850d27cc0f5b

SHA256
f9afcd4da591149653a1788b6cf46e31db4e6e8a3f7c165f6fb5735b84c6309b

SHA512
733649648f5b2741c5eac40b05839f794b0fdcf2e6c910ba5f3e1ebb502618885bb7ec2df0393f80e748a4faace3961fb71bc0f819ed446d534202c6b9cfc9b8

Download Submit