ddf93d33ceb72977c1ca37bd73eda231f5e58fe6960915c4a1e0c4d90e81b3a2

Analysis

max time kernel
169s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 19:01

Target

ddf93d33ceb72977c1ca37bd73eda231f5e58fe6960915c4a1e0c4d90e81b3a2.exe
Size

82KB
MD5

7553ed21808ddd919104340763ca443f
SHA1

bbdc2098ec0495006a3a481dd9cf8a8fce50acfd
SHA256

ddf93d33ceb72977c1ca37bd73eda231f5e58fe6960915c4a1e0c4d90e81b3a2
SHA512

a0576726f7c7f59639d780575d1c27a32660d8fba278e08d36a37e54d73fd9fab895db81aac3af016411f4e10564b447ab5d100302ca030d6d2fd9ba5f027186
SSDEEP

1536:+3Sp4w7J1JYKV+7Da7ff/SRmScPGXEoLlMr+PZQUDlI0jQgD2B:+3SV7J1HUDaTv3qEoLlMJUDlI0jQgu

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
4548	000.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\000.exe	ddf93d33ceb72977c1ca37bd73eda231f5e58fe6960915c4a1e0c4d90e81b3a2.exe
File created	C:\Windows\SysWOW64\qqmmck.vxd	000.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4752	2248	WerFault.exe	77

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92B2E816-2CEF-4345-8758-7699C7C9935F}\InProcServer32\ThreadingModel = "Apartment"	000.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92B2E816-2CEF-4345-8758-7699C7C9935F}	000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92B2E816-2CEF-4345-8758-7699C7C9935F}\	000.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92B2E816-2CEF-4345-8758-7699C7C9935F}\InProcServer32	000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92B2E816-2CEF-4345-8758-7699C7C9935F}\InProcServer32\ = "C:\\Windows\\SysWow64\\qqmmck.vxd"	000.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 4480	2248	ddf93d33ceb72977c1ca37bd73eda231f5e58fe6960915c4a1e0c4d90e81b3a2.exe	82
PID 2248 wrote to memory of 4480	2248	ddf93d33ceb72977c1ca37bd73eda231f5e58fe6960915c4a1e0c4d90e81b3a2.exe	82
PID 2248 wrote to memory of 4480	2248	ddf93d33ceb72977c1ca37bd73eda231f5e58fe6960915c4a1e0c4d90e81b3a2.exe	82
PID 4480 wrote to memory of 4548	4480	cmd.exe	84
PID 4480 wrote to memory of 4548	4480	cmd.exe	84
PID 4480 wrote to memory of 4548	4480	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\ddf93d33ceb72977c1ca37bd73eda231f5e58fe6960915c4a1e0c4d90e81b3a2.exe
"C:\Users\Admin\AppData\Local\Temp\ddf93d33ceb72977c1ca37bd73eda231f5e58fe6960915c4a1e0c4d90e81b3a2.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 220
  2⤵
  - Program crash
  PID:4752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Windows\system32\000.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Windows\SysWOW64\000.exe
    C:\Windows\system32\000.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2248 -ip 2248
1⤵
PID:4888

C:\Windows\SysWOW64\000.exe

Filesize
74KB

MD5
9565abbcd4b07cd48951667a54566a24

SHA1
44f36ee6c5e2c1c353794e7be87b81328e7b3246

SHA256
f2502c1bbf5b4a6725301ec2f45a46103f30855b4f158dedc2c45adfad0eeb2e

SHA512
b6e0f338cb652c75a36060fdc160a7271ffbddc4fe9d869b85f24cfaa8baa2685b72a4b38a67333d118d4b94878a1062120ade3617bbfde3aecf5a30ae2da2a6

Download Submit
C:\Windows\SysWOW64\000.exe

Filesize
74KB

MD5
9565abbcd4b07cd48951667a54566a24

SHA1
44f36ee6c5e2c1c353794e7be87b81328e7b3246

SHA256
f2502c1bbf5b4a6725301ec2f45a46103f30855b4f158dedc2c45adfad0eeb2e

SHA512
b6e0f338cb652c75a36060fdc160a7271ffbddc4fe9d869b85f24cfaa8baa2685b72a4b38a67333d118d4b94878a1062120ade3617bbfde3aecf5a30ae2da2a6

Download Submit
memory/2248-132-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2248-134-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4480-133-0x0000000000000000-mapping.dmp

Download
memory/4548-135-0x0000000000000000-mapping.dmp

Download