50b722130525d7ae6ee121ef62436b385e5be8344f2684722bb84ef57eee1885

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 12:58

Target

37022ac2ed057b03624d536310aad98b.exe
Size

1KB
MD5

37022ac2ed057b03624d536310aad98b
SHA1

18e40add16a4be57a3981034b4d3477231a5b2e2
SHA256

50b722130525d7ae6ee121ef62436b385e5be8344f2684722bb84ef57eee1885
SHA512

1377f829822f374544abbc3644f17da3baeb2b37fe3b01f7754ed7f057a6579bae314d8c7ead92f6ecaad33c56446c79e09d07808ec5ce72a7b80758c4341c2c

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2324	cmd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2432	2900	WerFault.exe	30

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2324	1736	37022ac2ed057b03624d536310aad98b.exe	28
PID 1736 wrote to memory of 2324	1736	37022ac2ed057b03624d536310aad98b.exe	28
PID 1736 wrote to memory of 2324	1736	37022ac2ed057b03624d536310aad98b.exe	28
PID 1736 wrote to memory of 2324	1736	37022ac2ed057b03624d536310aad98b.exe	28
PID 1736 wrote to memory of 2900	1736	37022ac2ed057b03624d536310aad98b.exe	30
PID 1736 wrote to memory of 2900	1736	37022ac2ed057b03624d536310aad98b.exe	30
PID 1736 wrote to memory of 2900	1736	37022ac2ed057b03624d536310aad98b.exe	30
PID 1736 wrote to memory of 2900	1736	37022ac2ed057b03624d536310aad98b.exe	30
PID 1736 wrote to memory of 2900	1736	37022ac2ed057b03624d536310aad98b.exe	30
PID 2900 wrote to memory of 2432	2900	svchost.exe	31
PID 2900 wrote to memory of 2432	2900	svchost.exe	31
PID 2900 wrote to memory of 2432	2900	svchost.exe	31
PID 2900 wrote to memory of 2432	2900	svchost.exe	31

C:\Users\Admin\AppData\Local\Temp\37022ac2ed057b03624d536310aad98b.exe
"C:\Users\Admin\AppData\Local\Temp\37022ac2ed057b03624d536310aad98b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c a.bat C:\Users\Admin\AppData\Local\Temp\37022ac2ed057b03624d536310aad98b.exe
  2⤵
  - Deletes itself
  PID:2324
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 52
    3⤵
    - Program crash
    PID:2432

C:\Users\Admin\AppData\Local\Temp\a.bat

Filesize
80B

MD5
c13cdd5bcfbfb9e79002a613a95d7e4f

SHA1
85dff28082abba5d8c9984fe70deb3f71af29126

SHA256
a0962593ba601914804df19160ff0ede231f8a1ec873036f909171b9a25abe39

SHA512
59a4908e015eec7b39c9eff5444b06fe6677143676d19ed77e3483a7746e04247385456bb4de22a744959755c53a260b309b6fca871f1cc0b1f12cdfb0bebbea

Download Submit
memory/1736-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2900-9-0x00000000004B0000-0x00000000004B8000-memory.dmp

Filesize
32KB

Download