cf2c46a808a624a013375822d0b8125d131cf00e6edfd4ab36883457cea44141

Analysis

max time kernel
154s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 04:31

Target

5462051b36b09b653e2933d2c0223d01.exe
Size

295KB
MD5

5462051b36b09b653e2933d2c0223d01
SHA1

ade00ae20fd3a9568127a0bd1269fe4eb4a597ff
SHA256

cf2c46a808a624a013375822d0b8125d131cf00e6edfd4ab36883457cea44141
SHA512

b6a680203ac72a96a47ae9e4e2e5ebff212e43530d9dd8f353496849573fc3f8d265acc77676ab5f98f7183a8aa9c00e0442ffc4bfb36d7a7cc2156bc473a457
SSDEEP

6144:Ccr3o6DxHg45rb2gmFVUHJ99Ol/0Pq67YO6Y6w+m+CI1fe25JoS:Ccr7xHNb2gV7Akq674Y61m+Cwfe25JoS

Score

7^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
4508	neter.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/5048-0-0x0000000000400000-0x0000000000493000-memory.dmp	upx
behavioral2/files/0x000600000002324c-4.dat	upx
behavioral2/memory/4508-5-0x0000000000400000-0x0000000000493000-memory.dmp	upx
behavioral2/memory/4316-9-0x0000000000400000-0x0000000000493000-memory.dmp	upx
behavioral2/memory/5048-10-0x0000000000400000-0x0000000000493000-memory.dmp	upx
behavioral2/memory/4508-12-0x0000000000400000-0x0000000000493000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4508 set thread context of 4316	4508	neter.exe	91

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\NetMeeting\neter.exe	5462051b36b09b653e2933d2c0223d01.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
456	4316	WerFault.exe	91

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 4316	4508	neter.exe	91
PID 4508 wrote to memory of 4316	4508	neter.exe	91
PID 4508 wrote to memory of 4316	4508	neter.exe	91
PID 4508 wrote to memory of 4316	4508	neter.exe	91
PID 4508 wrote to memory of 4316	4508	neter.exe	91
PID 5048 wrote to memory of 1308	5048	5462051b36b09b653e2933d2c0223d01.exe	93
PID 5048 wrote to memory of 1308	5048	5462051b36b09b653e2933d2c0223d01.exe	93
PID 5048 wrote to memory of 1308	5048	5462051b36b09b653e2933d2c0223d01.exe	93

C:\Users\Admin\AppData\Local\Temp\5462051b36b09b653e2933d2c0223d01.exe
"C:\Users\Admin\AppData\Local\Temp\5462051b36b09b653e2933d2c0223d01.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\871050.bat
  2⤵
  PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4316 -ip 4316
1⤵
PID:4756

C:\Program Files (x86)\NetMeeting\neter.exe

Filesize
295KB

MD5
5462051b36b09b653e2933d2c0223d01

SHA1
ade00ae20fd3a9568127a0bd1269fe4eb4a597ff

SHA256
cf2c46a808a624a013375822d0b8125d131cf00e6edfd4ab36883457cea44141

SHA512
b6a680203ac72a96a47ae9e4e2e5ebff212e43530d9dd8f353496849573fc3f8d265acc77676ab5f98f7183a8aa9c00e0442ffc4bfb36d7a7cc2156bc473a457

Download Submit
C:\Users\Admin\AppData\Local\Temp\871050.bat

Filesize
190B

MD5
960808eed1bb606157543fdaecc8c4cc

SHA1
c313978984138441f82fe13ae27fafe547b5ac66

SHA256
2a5256772b3ba9c77b44e0985eb1684bb6aa9d5274e24a58f16c26a6df6d98a3

SHA512
10f4143a1c2d30d9b01602c8f893d0ef733b406f0adb4499533c6446a8c43b9783e02f96b1d9462815edaee4babcd895846aee45927399714390de3431786d05

Download Submit
memory/4316-9-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/4316-13-0x00000000007B0000-0x00000000007B0000-memory.dmp

Download
memory/4508-6-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/4508-5-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/4508-12-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/5048-0-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/5048-1-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/5048-10-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download