49570ed416392fe27ab4ad56907ce8638cb6e86d209a79b1ddb79c98250884b8

Analysis

max time kernel
145s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2024, 12:42

Target

4640e9cd839bea66bb05afaea4df979f.exe
Size

18KB
MD5

4640e9cd839bea66bb05afaea4df979f
SHA1

7dc369c3ee58de9be209f6e05cd03a7c3376d0c0
SHA256

49570ed416392fe27ab4ad56907ce8638cb6e86d209a79b1ddb79c98250884b8
SHA512

02e98e833bef3000d883eade1b402f683389946d91aa814a3e5295984af103c9debab59b32d6336d193a931c2e28f4beb51c8f5c31fc6c740e752f70dddc6085
SSDEEP

384:leR4l12vDyyLSYrfNfMfkUMwkYDroU7SixWwlmvhySSFczz7:le412WyWs8KAAwlGhnSFcL

Score

5^/10

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\davclnst.dll	4640e9cd839bea66bb05afaea4df979f.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4884 set thread context of 4280	4884	4640e9cd839bea66bb05afaea4df979f.exe	23

Program crash 1 IoCs

pid	pid_target	Process
1232	4280	WerFault.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4884	4640e9cd839bea66bb05afaea4df979f.exe
4884	4640e9cd839bea66bb05afaea4df979f.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 4280	4884	4640e9cd839bea66bb05afaea4df979f.exe	23
PID 4884 wrote to memory of 4280	4884	4640e9cd839bea66bb05afaea4df979f.exe	23
PID 4884 wrote to memory of 4280	4884	4640e9cd839bea66bb05afaea4df979f.exe	23
PID 4884 wrote to memory of 3168	4884	4640e9cd839bea66bb05afaea4df979f.exe	22
PID 4884 wrote to memory of 3168	4884	4640e9cd839bea66bb05afaea4df979f.exe	22
PID 4884 wrote to memory of 3168	4884	4640e9cd839bea66bb05afaea4df979f.exe	22

C:\Users\Admin\AppData\Local\Temp\4640e9cd839bea66bb05afaea4df979f.exe
"C:\Users\Admin\AppData\Local\Temp\4640e9cd839bea66bb05afaea4df979f.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\DEL.bat
  2⤵
  PID:3168
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4280 -ip 4280
1⤵
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 84
1⤵
- Program crash
PID:1232

memory/4884-5-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4884-1-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/4884-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download