3ffef44dd79f67360d53d8eb1c12be9de6ce3127fee9650742036dabda69d411

Analysis

max time kernel
100s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2023 21:43

Target

13801da770cac066f33d34478a071ea4.exe
Size

35KB
MD5

13801da770cac066f33d34478a071ea4
SHA1

be98a01134e6b3ae11ab912e2fbbc0d02115bdf0
SHA256

3ffef44dd79f67360d53d8eb1c12be9de6ce3127fee9650742036dabda69d411
SHA512

5e5db331a4687795cd7583a301753c7c44a68c5fbe74d2942ff997780db3bd9035b24fd39c3890e650d25a9e6bcdf58f6d5d9af5601d3e212c23391f6358a166
SSDEEP

768:+3KsDtTqY4zzork3s58iFfDycYwXWTybJvSEPyTZ+s:czthWork3s58KfDMwqUFFP5s

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
1772	ntldr.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntldr.exe	ntldr.exe
File opened for modification	C:\Windows\SysWOW64\ntldr.exe	13801da770cac066f33d34478a071ea4.exe
File created	C:\Windows\SysWOW64\ntldr.exe	13801da770cac066f33d34478a071ea4.exe
File opened for modification	C:\Windows\SysWOW64\ntldr.exe	ntldr.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
672	3908	WerFault.exe	54
3408	1772	WerFault.exe	86

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 1772	3908	13801da770cac066f33d34478a071ea4.exe	86
PID 3908 wrote to memory of 1772	3908	13801da770cac066f33d34478a071ea4.exe	86
PID 3908 wrote to memory of 1772	3908	13801da770cac066f33d34478a071ea4.exe	86

C:\Users\Admin\AppData\Local\Temp\13801da770cac066f33d34478a071ea4.exe
"C:\Users\Admin\AppData\Local\Temp\13801da770cac066f33d34478a071ea4.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Windows\SysWOW64\ntldr.exe
  "C:\Windows\system32\ntldr.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1772
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 380
    3⤵
    - Program crash
    PID:3408
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 380
  2⤵
  - Program crash
  PID:672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1772 -ip 1772
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3908 -ip 3908
1⤵
PID:4508

C:\Windows\SysWOW64\ntldr.exe

Filesize
35KB

MD5
13801da770cac066f33d34478a071ea4

SHA1
be98a01134e6b3ae11ab912e2fbbc0d02115bdf0

SHA256
3ffef44dd79f67360d53d8eb1c12be9de6ce3127fee9650742036dabda69d411

SHA512
5e5db331a4687795cd7583a301753c7c44a68c5fbe74d2942ff997780db3bd9035b24fd39c3890e650d25a9e6bcdf58f6d5d9af5601d3e212c23391f6358a166

Download Submit