79ec993bfeac424fc52a610d9e50b964cd305b743910156c40d657ccad80084a

Analysis

max time kernel
142s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-12-2023 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb133e919d5d704ffde38dbca19c9bff.exe
Size

2.4MB
MD5

fb133e919d5d704ffde38dbca19c9bff
SHA1

bef0ef1ff06e5153f2ba38061493b20f8986a78f
SHA256

79ec993bfeac424fc52a610d9e50b964cd305b743910156c40d657ccad80084a
SHA512

94098d117338fec115bf9fb7290cc1b1c2689362e07701c9835ba681c911cc7c32effe4e87b0061c743705ada8a1cf1aefc8c4f67073b6b6df2a6baadca80673
SSDEEP

49152:g5Un0A2/9u4l3HjWT6Dl10nIUauCa/mBLsR7TBaCqDbZP/8XfeUrO9RxO:g2o3HI8MnIUUPCqDbZn8Xf9

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2716	ntldr.exe

Loads dropped DLL 3 IoCs

pid	Process
2880	fb133e919d5d704ffde38dbca19c9bff.exe
2880	fb133e919d5d704ffde38dbca19c9bff.exe
2716	ntldr.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntldr.exe	fb133e919d5d704ffde38dbca19c9bff.exe
File opened for modification	C:\Windows\SysWOW64\RCX7D3B.tmp	fb133e919d5d704ffde38dbca19c9bff.exe
File opened for modification	C:\Windows\SysWOW64\ntldr.exe	fb133e919d5d704ffde38dbca19c9bff.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2448 set thread context of 2880	2448	fb133e919d5d704ffde38dbca19c9bff.exe	28

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3052	2880	WerFault.exe	28

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2880	2448	fb133e919d5d704ffde38dbca19c9bff.exe	28
PID 2448 wrote to memory of 2880	2448	fb133e919d5d704ffde38dbca19c9bff.exe	28
PID 2448 wrote to memory of 2880	2448	fb133e919d5d704ffde38dbca19c9bff.exe	28
PID 2448 wrote to memory of 2880	2448	fb133e919d5d704ffde38dbca19c9bff.exe	28
PID 2448 wrote to memory of 2880	2448	fb133e919d5d704ffde38dbca19c9bff.exe	28
PID 2448 wrote to memory of 2880	2448	fb133e919d5d704ffde38dbca19c9bff.exe	28
PID 2448 wrote to memory of 2880	2448	fb133e919d5d704ffde38dbca19c9bff.exe	28
PID 2448 wrote to memory of 2880	2448	fb133e919d5d704ffde38dbca19c9bff.exe	28
PID 2448 wrote to memory of 2880	2448	fb133e919d5d704ffde38dbca19c9bff.exe	28
PID 2448 wrote to memory of 2880	2448	fb133e919d5d704ffde38dbca19c9bff.exe	28
PID 2448 wrote to memory of 2880	2448	fb133e919d5d704ffde38dbca19c9bff.exe	28
PID 2880 wrote to memory of 2716	2880	fb133e919d5d704ffde38dbca19c9bff.exe	29
PID 2880 wrote to memory of 2716	2880	fb133e919d5d704ffde38dbca19c9bff.exe	29
PID 2880 wrote to memory of 2716	2880	fb133e919d5d704ffde38dbca19c9bff.exe	29
PID 2880 wrote to memory of 2716	2880	fb133e919d5d704ffde38dbca19c9bff.exe	29
PID 2716 wrote to memory of 2572	2716	ntldr.exe	30
PID 2716 wrote to memory of 2572	2716	ntldr.exe	30
PID 2716 wrote to memory of 2572	2716	ntldr.exe	30
PID 2716 wrote to memory of 2572	2716	ntldr.exe	30
PID 2880 wrote to memory of 3052	2880	fb133e919d5d704ffde38dbca19c9bff.exe	31
PID 2880 wrote to memory of 3052	2880	fb133e919d5d704ffde38dbca19c9bff.exe	31
PID 2880 wrote to memory of 3052	2880	fb133e919d5d704ffde38dbca19c9bff.exe	31
PID 2880 wrote to memory of 3052	2880	fb133e919d5d704ffde38dbca19c9bff.exe	31
PID 2716 wrote to memory of 2572	2716	ntldr.exe	30
PID 2716 wrote to memory of 2572	2716	ntldr.exe	30
PID 2716 wrote to memory of 2572	2716	ntldr.exe	30
PID 2716 wrote to memory of 2572	2716	ntldr.exe	30
PID 2716 wrote to memory of 2572	2716	ntldr.exe	30
PID 2716 wrote to memory of 2572	2716	ntldr.exe	30

C:\Users\Admin\AppData\Local\Temp\fb133e919d5d704ffde38dbca19c9bff.exe
"C:\Users\Admin\AppData\Local\Temp\fb133e919d5d704ffde38dbca19c9bff.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Users\Admin\AppData\Local\Temp\fb133e919d5d704ffde38dbca19c9bff.exe
  "C:\Users\Admin\AppData\Local\Temp\fb133e919d5d704ffde38dbca19c9bff.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\ntldr.exe
    "C:\Windows\system32\ntldr.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\ntldr.exe
      "C:\Windows\SysWOW64\ntldr.exe"
      4⤵
      PID:2572
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 116
    3⤵
    - Program crash
    PID:3052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\ntldr.exe

Filesize
2.4MB

MD5
fb133e919d5d704ffde38dbca19c9bff

SHA1
bef0ef1ff06e5153f2ba38061493b20f8986a78f

SHA256
79ec993bfeac424fc52a610d9e50b964cd305b743910156c40d657ccad80084a

SHA512
94098d117338fec115bf9fb7290cc1b1c2689362e07701c9835ba681c911cc7c32effe4e87b0061c743705ada8a1cf1aefc8c4f67073b6b6df2a6baadca80673

Download Submit
memory/2880-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2880-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2880-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2880-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2880-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2880-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2880-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2880-14-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2880-16-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2880-17-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2880-48-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download