75feb7e282987ce9f4a072b4c32ad2b3313cc65206fcb1a1e04ef7194709d4e8

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a4200f2f3c210f3a24927b5d6fb61e2.exe
Size

87KB
MD5

7a4200f2f3c210f3a24927b5d6fb61e2
SHA1

f731e312af80f0cc6b73ae28b5431c83f52f8a37
SHA256

75feb7e282987ce9f4a072b4c32ad2b3313cc65206fcb1a1e04ef7194709d4e8
SHA512

aa03837c8d8ad68a5af0a5eb41148ffb0134113faf9cc92128f7d14892e5145713c690951920cf8312fdc0ab02f7535234c570b0f34a629d6e88dbdf14959d82
SSDEEP

768:6x39TEu51YZP9euPoUPlLx39TEu51YZP9euPoUPlDOdQC+NaH9K7lgiJ2SR7mcd7:6bsP9evUPBbsP9evUPBOfin

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2760	ntldr.exe
2712	ntldr.exe

Loads dropped DLL 7 IoCs

pid	Process
1872	7a4200f2f3c210f3a24927b5d6fb61e2.exe
1872	7a4200f2f3c210f3a24927b5d6fb61e2.exe
2760	ntldr.exe
2772	WerFault.exe
2772	WerFault.exe
2772	WerFault.exe
2772	WerFault.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ntldr.exe	7a4200f2f3c210f3a24927b5d6fb61e2.exe
File created	C:\Windows\SysWOW64\ntldr.exe	7a4200f2f3c210f3a24927b5d6fb61e2.exe
File opened for modification	C:\Windows\SysWOW64\RCX205C.tmp	7a4200f2f3c210f3a24927b5d6fb61e2.exe
File opened for modification	C:\Windows\SysWOW64\ntldr.exe	ntldr.exe
File created	C:\Windows\SysWOW64\ntldr.exe	ntldr.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1928 set thread context of 1872	1928	7a4200f2f3c210f3a24927b5d6fb61e2.exe	20
PID 2760 set thread context of 2712	2760	ntldr.exe	18

Program crash 2 IoCs

pid	pid_target	Process
2772	2712	WerFault.exe
2952	1872	WerFault.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 1872	1928	7a4200f2f3c210f3a24927b5d6fb61e2.exe	20
PID 1928 wrote to memory of 1872	1928	7a4200f2f3c210f3a24927b5d6fb61e2.exe	20
PID 1928 wrote to memory of 1872	1928	7a4200f2f3c210f3a24927b5d6fb61e2.exe	20
PID 1928 wrote to memory of 1872	1928	7a4200f2f3c210f3a24927b5d6fb61e2.exe	20
PID 1928 wrote to memory of 1872	1928	7a4200f2f3c210f3a24927b5d6fb61e2.exe	20
PID 1928 wrote to memory of 1872	1928	7a4200f2f3c210f3a24927b5d6fb61e2.exe	20
PID 1928 wrote to memory of 1872	1928	7a4200f2f3c210f3a24927b5d6fb61e2.exe	20
PID 1928 wrote to memory of 1872	1928	7a4200f2f3c210f3a24927b5d6fb61e2.exe	20
PID 1928 wrote to memory of 1872	1928	7a4200f2f3c210f3a24927b5d6fb61e2.exe	20
PID 1928 wrote to memory of 1872	1928	7a4200f2f3c210f3a24927b5d6fb61e2.exe	20
PID 1928 wrote to memory of 1872	1928	7a4200f2f3c210f3a24927b5d6fb61e2.exe	20
PID 1872 wrote to memory of 2760	1872	7a4200f2f3c210f3a24927b5d6fb61e2.exe	19
PID 1872 wrote to memory of 2760	1872	7a4200f2f3c210f3a24927b5d6fb61e2.exe	19
PID 1872 wrote to memory of 2760	1872	7a4200f2f3c210f3a24927b5d6fb61e2.exe	19
PID 1872 wrote to memory of 2760	1872	7a4200f2f3c210f3a24927b5d6fb61e2.exe	19
PID 2760 wrote to memory of 2712	2760	ntldr.exe	18
PID 2760 wrote to memory of 2712	2760	ntldr.exe	18
PID 2760 wrote to memory of 2712	2760	ntldr.exe	18
PID 2760 wrote to memory of 2712	2760	ntldr.exe	18
PID 1872 wrote to memory of 2952	1872	7a4200f2f3c210f3a24927b5d6fb61e2.exe	17
PID 1872 wrote to memory of 2952	1872	7a4200f2f3c210f3a24927b5d6fb61e2.exe	17
PID 1872 wrote to memory of 2952	1872	7a4200f2f3c210f3a24927b5d6fb61e2.exe	17
PID 1872 wrote to memory of 2952	1872	7a4200f2f3c210f3a24927b5d6fb61e2.exe	17
PID 2760 wrote to memory of 2712	2760	ntldr.exe	18
PID 2760 wrote to memory of 2712	2760	ntldr.exe	18
PID 2760 wrote to memory of 2712	2760	ntldr.exe	18
PID 2760 wrote to memory of 2712	2760	ntldr.exe	18
PID 2760 wrote to memory of 2712	2760	ntldr.exe	18
PID 2760 wrote to memory of 2712	2760	ntldr.exe	18
PID 2760 wrote to memory of 2712	2760	ntldr.exe	18
PID 2712 wrote to memory of 2772	2712	ntldr.exe	16
PID 2712 wrote to memory of 2772	2712	ntldr.exe	16
PID 2712 wrote to memory of 2772	2712	ntldr.exe	16
PID 2712 wrote to memory of 2772	2712	ntldr.exe	16

C:\Users\Admin\AppData\Local\Temp\7a4200f2f3c210f3a24927b5d6fb61e2.exe
"C:\Users\Admin\AppData\Local\Temp\7a4200f2f3c210f3a24927b5d6fb61e2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\7a4200f2f3c210f3a24927b5d6fb61e2.exe
  "C:\Users\Admin\AppData\Local\Temp\7a4200f2f3c210f3a24927b5d6fb61e2.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 116
1⤵
- Loads dropped DLL
- Program crash
PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 116
1⤵
- Program crash
PID:2952

C:\Windows\SysWOW64\ntldr.exe
"C:\Windows\SysWOW64\ntldr.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\SysWOW64\ntldr.exe
"C:\Windows\system32\ntldr.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2760

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1872-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1872-22-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1872-14-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1872-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1872-16-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1872-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1872-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1872-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1872-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1872-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1872-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2712-51-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2712-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download