3ffef44dd79f67360d53d8eb1c12be9de6ce3127fee9650742036dabda69d411

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 21:43

Target

13801da770cac066f33d34478a071ea4.exe
Size

35KB
MD5

13801da770cac066f33d34478a071ea4
SHA1

be98a01134e6b3ae11ab912e2fbbc0d02115bdf0
SHA256

3ffef44dd79f67360d53d8eb1c12be9de6ce3127fee9650742036dabda69d411
SHA512

5e5db331a4687795cd7583a301753c7c44a68c5fbe74d2942ff997780db3bd9035b24fd39c3890e650d25a9e6bcdf58f6d5d9af5601d3e212c23391f6358a166
SSDEEP

768:+3KsDtTqY4zzork3s58iFfDycYwXWTybJvSEPyTZ+s:czthWork3s58KfDMwqUFFP5s

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
1104	ntldr.exe

Loads dropped DLL 11 IoCs

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ntldr.exe	13801da770cac066f33d34478a071ea4.exe
File created	C:\Windows\SysWOW64\ntldr.exe	13801da770cac066f33d34478a071ea4.exe
File opened for modification	C:\Windows\SysWOW64\ntldr.exe	ntldr.exe
File created	C:\Windows\SysWOW64\ntldr.exe	ntldr.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1628	2824	WerFault.exe	16
2008	1104	WerFault.exe	28

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 1104	2824	13801da770cac066f33d34478a071ea4.exe	28
PID 2824 wrote to memory of 1104	2824	13801da770cac066f33d34478a071ea4.exe	28
PID 2824 wrote to memory of 1104	2824	13801da770cac066f33d34478a071ea4.exe	28
PID 2824 wrote to memory of 1104	2824	13801da770cac066f33d34478a071ea4.exe	28
PID 2824 wrote to memory of 1104	2824	13801da770cac066f33d34478a071ea4.exe	28
PID 2824 wrote to memory of 1104	2824	13801da770cac066f33d34478a071ea4.exe	28
PID 2824 wrote to memory of 1104	2824	13801da770cac066f33d34478a071ea4.exe	28
PID 2824 wrote to memory of 1628	2824	13801da770cac066f33d34478a071ea4.exe	29
PID 2824 wrote to memory of 1628	2824	13801da770cac066f33d34478a071ea4.exe	29
PID 2824 wrote to memory of 1628	2824	13801da770cac066f33d34478a071ea4.exe	29
PID 2824 wrote to memory of 1628	2824	13801da770cac066f33d34478a071ea4.exe	29
PID 2824 wrote to memory of 1628	2824	13801da770cac066f33d34478a071ea4.exe	29
PID 2824 wrote to memory of 1628	2824	13801da770cac066f33d34478a071ea4.exe	29
PID 2824 wrote to memory of 1628	2824	13801da770cac066f33d34478a071ea4.exe	29
PID 1104 wrote to memory of 2008	1104	ntldr.exe	30
PID 1104 wrote to memory of 2008	1104	ntldr.exe	30
PID 1104 wrote to memory of 2008	1104	ntldr.exe	30
PID 1104 wrote to memory of 2008	1104	ntldr.exe	30
PID 1104 wrote to memory of 2008	1104	ntldr.exe	30
PID 1104 wrote to memory of 2008	1104	ntldr.exe	30
PID 1104 wrote to memory of 2008	1104	ntldr.exe	30

C:\Users\Admin\AppData\Local\Temp\13801da770cac066f33d34478a071ea4.exe
"C:\Users\Admin\AppData\Local\Temp\13801da770cac066f33d34478a071ea4.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\SysWOW64\ntldr.exe
  "C:\Windows\system32\ntldr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 252
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 248
  2⤵
  - Program crash
  PID:1628

\Windows\SysWOW64\ntldr.exe

Filesize
35KB

MD5
13801da770cac066f33d34478a071ea4

SHA1
be98a01134e6b3ae11ab912e2fbbc0d02115bdf0

SHA256
3ffef44dd79f67360d53d8eb1c12be9de6ce3127fee9650742036dabda69d411

SHA512
5e5db331a4687795cd7583a301753c7c44a68c5fbe74d2942ff997780db3bd9035b24fd39c3890e650d25a9e6bcdf58f6d5d9af5601d3e212c23391f6358a166

Download Submit