ef5702e6485641a08b55cf132b46aae669405d801b3ecffd7796d4b274aed8ae

Analysis

max time kernel
162s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2022 12:07

Target

ef5702e6485641a08b55cf132b46aae669405d801b3ecffd7796d4b274aed8ae.exe
Size

31KB
MD5

4f6aa0237b0f6afdcdbbb152b682f581
SHA1

48f82db348ccab01b35b4fccd1e4caea998e6d68
SHA256

ef5702e6485641a08b55cf132b46aae669405d801b3ecffd7796d4b274aed8ae
SHA512

1c966c5b0fe82727debd202e470d3f426f1b654bb08d3e8a0a977999ff73b74332e0cd74014a77cdb45774f0aca0cf22900631f3a2f98198a8e2d4e9d79e175a
SSDEEP

768:f6nn/dB6c7L5pFn3nvzMOoPgEPkYBv3fMO:f6nlBtJDvzsPgEPkYpUO

Score

5^/10

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe:ext.exe	ef5702e6485641a08b55cf132b46aae669405d801b3ecffd7796d4b274aed8ae.exe
File created	C:\Windows\SysWOW64\fci.exe.exe:ext.exe	ef5702e6485641a08b55cf132b46aae669405d801b3ecffd7796d4b274aed8ae.exe
File opened for modification	C:\Windows\SysWOW64\fci.exe.exe:ext.exe	ef5702e6485641a08b55cf132b46aae669405d801b3ecffd7796d4b274aed8ae.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4740 set thread context of 1312	4740	ef5702e6485641a08b55cf132b46aae669405d801b3ecffd7796d4b274aed8ae.exe	82

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3972	1312	WerFault.exe	82

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 1312	4740	ef5702e6485641a08b55cf132b46aae669405d801b3ecffd7796d4b274aed8ae.exe	82
PID 4740 wrote to memory of 1312	4740	ef5702e6485641a08b55cf132b46aae669405d801b3ecffd7796d4b274aed8ae.exe	82
PID 4740 wrote to memory of 1312	4740	ef5702e6485641a08b55cf132b46aae669405d801b3ecffd7796d4b274aed8ae.exe	82
PID 4740 wrote to memory of 2124	4740	ef5702e6485641a08b55cf132b46aae669405d801b3ecffd7796d4b274aed8ae.exe	85
PID 4740 wrote to memory of 2124	4740	ef5702e6485641a08b55cf132b46aae669405d801b3ecffd7796d4b274aed8ae.exe	85
PID 4740 wrote to memory of 2124	4740	ef5702e6485641a08b55cf132b46aae669405d801b3ecffd7796d4b274aed8ae.exe	85

C:\Users\Admin\AppData\Local\Temp\ef5702e6485641a08b55cf132b46aae669405d801b3ecffd7796d4b274aed8ae.exe
"C:\Users\Admin\AppData\Local\Temp\ef5702e6485641a08b55cf132b46aae669405d801b3ecffd7796d4b274aed8ae.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:1312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 200
    3⤵
    - Program crash
    PID:3972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\10354691.bat
  2⤵
  PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1312 -ip 1312
1⤵
PID:4408

C:\Users\Admin\AppData\Local\Temp\10354691.bat

Filesize
302B

MD5
dca5cd631618cb4ac35f576096e97193

SHA1
af359586308b1b8640c29752aa396a0a67399562

SHA256
b2d63990412907cf1f92e4bab2a859849fc4aeefc02e976ef67e4d3e4d592a85

SHA512
342ad631c5ff1d693dde461f6b042263cb4f422939ae8e2393bcc1b1cb712a2d700d21dc7361e872db86eb352befad178cce9f8ce9261dddeb71f819db218340

Download Submit
memory/1312-133-0x0000000000000000-mapping.dmp

Download
memory/2124-134-0x0000000000000000-mapping.dmp

Download
memory/4740-132-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4740-135-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download