c61125f9c181923309986d409597f2ef8d72cf6cb2ce54c83b24e4c763e49947

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 19:32

Target

383d4a7a5d7c489a39f47d6736924adf.exe
Size

172KB
MD5

383d4a7a5d7c489a39f47d6736924adf
SHA1

df5f9ea91226dc872c52608d2188f040c75222d7
SHA256

c61125f9c181923309986d409597f2ef8d72cf6cb2ce54c83b24e4c763e49947
SHA512

25783c1c27a409efadbde17f8ebcab20dd2c4b6ce269f27a0825f4b02f72aed939025173f01a868bea6f423a4cf420a847cfcce5dd26ba09c28201c669cd3727
SSDEEP

3072:8khicw+BOgwZP3sQoYuf8pgcQWKg8vD3HGxK0roILGXq26xhxLGdV6wF/9snGa4m:F4P3sQFuf8pgcQWKg8vD3HGxK0roSGXe

Score

7^/10

Loads dropped DLL 2 IoCs

pid	Process
2124	383d4a7a5d7c489a39f47d6736924adf.exe
2124	383d4a7a5d7c489a39f47d6736924adf.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\files.dll	383d4a7a5d7c489a39f47d6736924adf.exe
File created	C:\Windows\SysWOW64\userfile.dll	383d4a7a5d7c489a39f47d6736924adf.exe
File opened for modification	C:\Windows\SysWOW64\userfile.dll	383d4a7a5d7c489a39f47d6736924adf.exe
File created	C:\Windows\SysWOW64\files.dll	383d4a7a5d7c489a39f47d6736924adf.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3224	2124	WerFault.exe	86
3468	2124	WerFault.exe	86

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2124	383d4a7a5d7c489a39f47d6736924adf.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 3452	2124	383d4a7a5d7c489a39f47d6736924adf.exe	88
PID 2124 wrote to memory of 3452	2124	383d4a7a5d7c489a39f47d6736924adf.exe	88
PID 2124 wrote to memory of 3452	2124	383d4a7a5d7c489a39f47d6736924adf.exe	88

C:\Users\Admin\AppData\Local\Temp\383d4a7a5d7c489a39f47d6736924adf.exe
"C:\Users\Admin\AppData\Local\Temp\383d4a7a5d7c489a39f47d6736924adf.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\383d4a7a5d7c489a39f47d6736924adf.exe
  2⤵
  PID:3452
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 468
  2⤵
  - Program crash
  PID:3224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 520
  2⤵
  - Program crash
  PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2124 -ip 2124
1⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2124 -ip 2124
1⤵
PID:460

C:\Windows\SysWOW64\files.dll

Filesize
359KB

MD5
837a0a61ae56a158227845679d2f7fb1

SHA1
2754f59f0aee5025d24da63d082e9d4a382bf24a

SHA256
f60e345e0645bcd6a6bf305112d8cf33246ca2432c7fdf44e2b5915f91ce0426

SHA512
684c48337aa7bdcb1def88ffdd62b312bcca43ca8f5499e0dd659e9b146c10c6c195db391d0ea89a35271a8a69f9558446745cbdb4db30a3f9e6a6a243c8757e

Download Submit