eb000e1dcd32b865b9ab28720b05953e630f8602faea420f2a60676745479a9b

Analysis

max time kernel
100s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2023 02:20

Target

eb000e1dcd32b865b9ab28720b05953e630f8602faea420f2a60676745479a9b.exe
Size

419KB
MD5

748587ad382b73ec3619f951b9c0f520
SHA1

1867110007560593e22f2a45d354c35099dcdd74
SHA256

eb000e1dcd32b865b9ab28720b05953e630f8602faea420f2a60676745479a9b
SHA512

41715aa653807cdf099fb6f999ea5eb36b77a203502e3ff708620696a84f2c9bf14b27e16368c1122d1718cca6fdd5b39324bbe6f6654c124f535d191e8f252c
SSDEEP

6144:P8LxBgg2Z/zHvU7RD+0c+7jsZ37cOG4CIrAntf24fP2UPDK1WvXC9MaPBA:w2Z/zHWA0c+3W3ObIrAnVf1LK1Wv3OK

Score

7^/10

Executes dropped EXE 1 IoCs

Processes:

qdslvzkqg.exe

pid process

384 qdslvzkqg.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5052 384 WerFault.exe qdslvzkqg.exe

pid	process
384	qdslvzkqg.exe

pid	pid_target	process	target process
5052	384	WerFault.exe	qdslvzkqg.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

eb000e1dcd32b865b9ab28720b05953e630f8602faea420f2a60676745479a9b.exeqdslvzkqg.exe

description	pid	process	target process
PID 4896 wrote to memory of 384	4896	eb000e1dcd32b865b9ab28720b05953e630f8602faea420f2a60676745479a9b.exe	qdslvzkqg.exe
PID 4896 wrote to memory of 384	4896	eb000e1dcd32b865b9ab28720b05953e630f8602faea420f2a60676745479a9b.exe	qdslvzkqg.exe
PID 4896 wrote to memory of 384	4896	eb000e1dcd32b865b9ab28720b05953e630f8602faea420f2a60676745479a9b.exe	qdslvzkqg.exe
PID 384 wrote to memory of 1324	384	qdslvzkqg.exe	qdslvzkqg.exe
PID 384 wrote to memory of 1324	384	qdslvzkqg.exe	qdslvzkqg.exe
PID 384 wrote to memory of 1324	384	qdslvzkqg.exe	qdslvzkqg.exe

C:\Users\Admin\AppData\Local\Temp\eb000e1dcd32b865b9ab28720b05953e630f8602faea420f2a60676745479a9b.exe
"C:\Users\Admin\AppData\Local\Temp\eb000e1dcd32b865b9ab28720b05953e630f8602faea420f2a60676745479a9b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4896

C:\Users\Admin\AppData\Local\Temp\qdslvzkqg.exe
"C:\Users\Admin\AppData\Local\Temp\qdslvzkqg.exe"
3⤵
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 664
3⤵
- Program crash
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 384 -ip 384
1⤵
PID:3624

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\pccizpgtrzz.hj

Filesize
333KB

MD5
ca1c97ce2afd887ef84dbd4592e234e8

SHA1
2922fe8e316321b5762058f4f24b6415450122fe

SHA256
0046c6a752df509a293fcbfa9665923c6ac4310d59bdbaf102704cf4ec4c3247

SHA512
faad180d9d2155577af4c7a1573a7433dda0050d53773df8d7a32d69db7052001aa9097c9c82618700627d9a563a378ac04367334b6a67bbae3392f56919c13d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qdslvzkqg.exe

Filesize
165KB

MD5
1b8d8633ac4e79b156290d394f181047

SHA1
c4434ea803b10c58d37d8383e3e9da2732993d28

SHA256
046380e2a000529cddb9aa5454967f78432fdcc0c238568cda2594c113f2584b

SHA512
d624223e8df35b873ec296299df34b2e8a3352af2f2fb8f4eea3134e04b046f6b03385536a3beeb71ecd24390cf3ec92d8b48a200152d7a6760f09d35402e0a4

Download Submit
memory/384-5-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download