3c85a2c9a83d359e6a3000d7982e5ec1e48b44a374a112307d2ecfc91f04d0e4

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 03:48

Target

0d6babdc42d3e27d6217f91c38850c5b.exe
Size

553KB
MD5

0d6babdc42d3e27d6217f91c38850c5b
SHA1

a20d9a4dbb1063933a1d90e690a0c197689d60d8
SHA256

3c85a2c9a83d359e6a3000d7982e5ec1e48b44a374a112307d2ecfc91f04d0e4
SHA512

0d5f714698bda599bb0a2bdd105c5e4053675235546ca7050803c7e12fc6be15429ec5f4c58761ba1c816a70b336a20f8514330b8f12d6118a14803caf6f3eb7
SSDEEP

12288:gC8LZQFsWRK5l4NAK3pgopObii41xsxlj62:wnWRK5l4NX3pD6iiSQj/

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
4452	RemoteAbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4452 set thread context of 3220	4452	RemoteAbc.exe	96

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\RemoteAbc.exe	0d6babdc42d3e27d6217f91c38850c5b.exe
File opened for modification	C:\Windows\RemoteAbc.exe	0d6babdc42d3e27d6217f91c38850c5b.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2116	3220	WerFault.exe	96

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 3220	4452	RemoteAbc.exe	96
PID 4452 wrote to memory of 3220	4452	RemoteAbc.exe	96
PID 4452 wrote to memory of 3220	4452	RemoteAbc.exe	96
PID 3916 wrote to memory of 4888	3916	0d6babdc42d3e27d6217f91c38850c5b.exe	97
PID 3916 wrote to memory of 4888	3916	0d6babdc42d3e27d6217f91c38850c5b.exe	97
PID 3916 wrote to memory of 4888	3916	0d6babdc42d3e27d6217f91c38850c5b.exe	97
PID 4452 wrote to memory of 3220	4452	RemoteAbc.exe	96
PID 4452 wrote to memory of 3220	4452	RemoteAbc.exe	96

C:\Users\Admin\AppData\Local\Temp\0d6babdc42d3e27d6217f91c38850c5b.exe
"C:\Users\Admin\AppData\Local\Temp\0d6babdc42d3e27d6217f91c38850c5b.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\7078.bat
  2⤵
  PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3220 -ip 3220
1⤵
PID:2392

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe" 852
1⤵
PID:3220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3220 -s 12
  2⤵
  - Program crash
  PID:2116

C:\Windows\RemoteAbc.exe

Filesize
553KB

MD5
0d6babdc42d3e27d6217f91c38850c5b

SHA1
a20d9a4dbb1063933a1d90e690a0c197689d60d8

SHA256
3c85a2c9a83d359e6a3000d7982e5ec1e48b44a374a112307d2ecfc91f04d0e4

SHA512
0d5f714698bda599bb0a2bdd105c5e4053675235546ca7050803c7e12fc6be15429ec5f4c58761ba1c816a70b336a20f8514330b8f12d6118a14803caf6f3eb7

Download Submit
memory/3220-10-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/3916-0-0x0000000000400000-0x0000000000492200-memory.dmp

Filesize
584KB

Download
memory/3916-3-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3916-12-0x0000000000400000-0x0000000000492200-memory.dmp

Filesize
584KB

Download
memory/4452-7-0x0000000000400000-0x0000000000492200-memory.dmp

Filesize
584KB

Download
memory/4452-11-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/4452-14-0x0000000000400000-0x0000000000492200-memory.dmp

Filesize
584KB

Download