08c82a8c7dbc6ac5f2a206dee6de8ac7c3dc49fdb9a3b40706a48ff5ddd6f445

Analysis

max time kernel
154s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 08:00

Target

12daa984840c43edb9f28e97d8f5431b.exe
Size

552KB
MD5

12daa984840c43edb9f28e97d8f5431b
SHA1

2bd7d255aa348b43a0ccd13bdec9664d0778d690
SHA256

08c82a8c7dbc6ac5f2a206dee6de8ac7c3dc49fdb9a3b40706a48ff5ddd6f445
SHA512

7661a77548117884165a6b629b5a5e3dc89fe1c57cd32218093d9932c28c337d5abf6352fcda39d5480cab4f74f50be6d35a0a53a2d04a6c85b05b89cf1f9655
SSDEEP

12288:9d7N1+qnP61o9Rl/OOHYPK7GE4LzkqkuCnpTZtMN:9M+61o9fFhNqkucpTZtM

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2568	RemoteAbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2568 set thread context of 400	2568	RemoteAbc.exe	96

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\RemoteAbc.exe	12daa984840c43edb9f28e97d8f5431b.exe
File opened for modification	C:\Windows\RemoteAbc.exe	12daa984840c43edb9f28e97d8f5431b.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 400	2568	RemoteAbc.exe	96
PID 2568 wrote to memory of 400	2568	RemoteAbc.exe	96
PID 2568 wrote to memory of 400	2568	RemoteAbc.exe	96
PID 2568 wrote to memory of 400	2568	RemoteAbc.exe	96
PID 2568 wrote to memory of 400	2568	RemoteAbc.exe	96

C:\Users\Admin\AppData\Local\Temp\12daa984840c43edb9f28e97d8f5431b.exe
"C:\Users\Admin\AppData\Local\Temp\12daa984840c43edb9f28e97d8f5431b.exe"
1⤵
- Drops file in Windows directory
PID:2312

C:\Windows\RemoteAbc.exe
C:\Windows\RemoteAbc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" 76655
  2⤵
  PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 400 -ip 400
1⤵
PID:3216

C:\Windows\RemoteAbc.exe

Filesize
552KB

MD5
12daa984840c43edb9f28e97d8f5431b

SHA1
2bd7d255aa348b43a0ccd13bdec9664d0778d690

SHA256
08c82a8c7dbc6ac5f2a206dee6de8ac7c3dc49fdb9a3b40706a48ff5ddd6f445

SHA512
7661a77548117884165a6b629b5a5e3dc89fe1c57cd32218093d9932c28c337d5abf6352fcda39d5480cab4f74f50be6d35a0a53a2d04a6c85b05b89cf1f9655

Download Submit
memory/400-10-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2312-0-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2312-2-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2312-3-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/2312-6-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2568-9-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/2568-12-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download