8ceff0aac139c6334b06db771eb6d7d368e9a9de8f743c808abd5e42b59c662b

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 09:16

Target

14409ac147df76ecbf7c1a48777bab81.exe
Size

130KB
MD5

14409ac147df76ecbf7c1a48777bab81
SHA1

db8cf41bf8d0bff727e4e32a4f68730aa9e4a05a
SHA256

8ceff0aac139c6334b06db771eb6d7d368e9a9de8f743c808abd5e42b59c662b
SHA512

6ddb7595a6bea83049ed2970eb5420492d3cc517246b6679d9d8163809e8f12a42e6266d5ca3d5f9ed7c0c96c284eb740dbed6f65133392991dea78124c7a924
SSDEEP

3072:ZKrbGe5bfS3yccbdA/BdgoHp+QFq2jqasC/I6hi0T:ZcbGe5bOcIVJ/jqK/I6hHT

Score

5^/10

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\windev-6ff5-70cb.sys	14409ac147df76ecbf7c1a48777bab81.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3548	2712	WerFault.exe	16

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 4384	2712	14409ac147df76ecbf7c1a48777bab81.exe	29
PID 2712 wrote to memory of 4384	2712	14409ac147df76ecbf7c1a48777bab81.exe	29
PID 2712 wrote to memory of 4384	2712	14409ac147df76ecbf7c1a48777bab81.exe	29
PID 2712 wrote to memory of 1496	2712	14409ac147df76ecbf7c1a48777bab81.exe	18
PID 2712 wrote to memory of 1496	2712	14409ac147df76ecbf7c1a48777bab81.exe	18
PID 2712 wrote to memory of 1496	2712	14409ac147df76ecbf7c1a48777bab81.exe	18
PID 4384 wrote to memory of 2696	4384	w32tm.exe	25
PID 4384 wrote to memory of 2696	4384	w32tm.exe	25
PID 1496 wrote to memory of 3816	1496	w32tm.exe	21
PID 1496 wrote to memory of 3816	1496	w32tm.exe	21

C:\Users\Admin\AppData\Local\Temp\14409ac147df76ecbf7c1a48777bab81.exe
"C:\Users\Admin\AppData\Local\Temp\14409ac147df76ecbf7c1a48777bab81.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\SysWOW64\w32tm.exe
  /config /update
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\system32\w32tm.exe
    /config /update
    3⤵
    PID:3816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 496
  2⤵
  - Program crash
  PID:3548
- C:\Windows\SysWOW64\w32tm.exe
  /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2712 -ip 2712
1⤵
PID:2044

C:\Windows\system32\w32tm.exe
/config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov
1⤵
PID:2696

memory/2712-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2712-2-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2712-1-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download