3a3ac3cbc41c952afa90d31d5109a4565292d3b51c929aff9fd0fdb851a0d025

Analysis

max time kernel
144s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 21:39

Target

3df52111a92eade10665d0b49d8dd0cb.exe
Size

679KB
MD5

3df52111a92eade10665d0b49d8dd0cb
SHA1

a3b1ed26ff3a6854263ff5afe8408a680643b8c0
SHA256

3a3ac3cbc41c952afa90d31d5109a4565292d3b51c929aff9fd0fdb851a0d025
SHA512

493ef51098a57457c2f2441ec8c32a89927359d4988d64c3d5ca568544c760cee1c359eca827a2c5c9da1fb2dc681773fbe6549e05d212f3fd058f6ad3f543e5
SSDEEP

6144:RJ82asJfnlAJwT71w+DtmVlTWw8oY4JHfTcE6sTNrCMHJeTBh+:ROWJ8wT7SoScCY4JHLcElTNm8eT

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
1000	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\EyMyRG.dll	3df52111a92eade10665d0b49d8dd0cb.exe
File created	C:\Windows\WMQJdmK.dll	svchost.exe
File created	C:\Windows\CWaHaveN\cDDJHiU.dll	svchost.exe
File opened for modification	C:\Windows\CWaHaveN\cDDJHiU.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1660	1000	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 6 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3696 wrote to memory of 1000	3696	3df52111a92eade10665d0b49d8dd0cb.exe	88
PID 3696 wrote to memory of 1000	3696	3df52111a92eade10665d0b49d8dd0cb.exe	88
PID 3696 wrote to memory of 1000	3696	3df52111a92eade10665d0b49d8dd0cb.exe	88

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1000 -ip 1000
1⤵
PID:4360

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Roaming\MWowMVK\svchost.exe

Filesize
680KB

MD5
f1ba3243a29c11c25d6499f43bef3576

SHA1
19600f335ce126f3ce6f559cbbe957ea8f4382d3

SHA256
3a1cf76d3a0a070593499b71db551f5cba95b0e2a2146773477e96747676215c

SHA512
689a6ccb40a190e41b0e3680318535a497f80631f83c7fb75cd7517951659d8bcd6f66a5f0b10fec7c1447de353659cde26909bb17afdf4e9b1d7343b3f4b550

Download Submit
memory/1000-8-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1000-12-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1000-22-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3696-0-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3696-11-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download