9240bc981d7b180f9237184bf5f61a6b441447ebd74fd58519f8e1babee46438

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2024 07:42

Target

6710471fae73afc0117693af548f73d3.exe
Size

295KB
MD5

6710471fae73afc0117693af548f73d3
SHA1

f6ec258629cdb419d757ae6ac9b5f201afb63f83
SHA256

9240bc981d7b180f9237184bf5f61a6b441447ebd74fd58519f8e1babee46438
SHA512

6a3efbe366bf1a4d0688b08166bdd88e6efea632522d32b8333e899b0ace6c6b879d0137cfe18e91046bf9182d790bc235df15e6d8b0290d20913696ce210318
SSDEEP

6144:YqALKMtci5TKWKqhZmBzFBi1AKL+f7JtHPBy3ni2/3KgllZ:Yq/nW4BhBQAKCZyXi2ygl

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
3844	temp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3844 set thread context of 3608	3844	temp.exe	90

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Delete.bat	6710471fae73afc0117693af548f73d3.exe
File created	C:\Windows\temp.exe	6710471fae73afc0117693af548f73d3.exe
File opened for modification	C:\Windows\temp.exe	6710471fae73afc0117693af548f73d3.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4044	3608	WerFault.exe	90

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3608	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3844 wrote to memory of 3608	3844	temp.exe	90
PID 3844 wrote to memory of 3608	3844	temp.exe	90
PID 3844 wrote to memory of 3608	3844	temp.exe	90
PID 3844 wrote to memory of 3608	3844	temp.exe	90
PID 3084 wrote to memory of 1696	3084	6710471fae73afc0117693af548f73d3.exe	91
PID 3084 wrote to memory of 1696	3084	6710471fae73afc0117693af548f73d3.exe	91
PID 3084 wrote to memory of 1696	3084	6710471fae73afc0117693af548f73d3.exe	91
PID 3844 wrote to memory of 3608	3844	temp.exe	90

C:\Users\Admin\AppData\Local\Temp\6710471fae73afc0117693af548f73d3.exe
"C:\Users\Admin\AppData\Local\Temp\6710471fae73afc0117693af548f73d3.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\Delete.bat
  2⤵
  PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3608 -ip 3608
1⤵
PID:1732

C:\Windows\Delete.bat

Filesize
186B

MD5
bd3d6e08168bc914c289033d043b1ad9

SHA1
36de067d156278ba2d2368e4ac1580b7ea21c1fd

SHA256
ebcd11e8b7da5bada5995ccebe5056f0d7bfc3e6ef2e860228521e6889e29950

SHA512
879ae0f83749505085b7c1bea4c9fa0bfcda92c0abec45e74084490efeb2000f3f66e856daf88cc710b76653b30c82f6ee09e089b606391259cf1e637ff10f46

Download Submit
C:\Windows\temp.exe

Filesize
295KB

MD5
6710471fae73afc0117693af548f73d3

SHA1
f6ec258629cdb419d757ae6ac9b5f201afb63f83

SHA256
9240bc981d7b180f9237184bf5f61a6b441447ebd74fd58519f8e1babee46438

SHA512
6a3efbe366bf1a4d0688b08166bdd88e6efea632522d32b8333e899b0ace6c6b879d0137cfe18e91046bf9182d790bc235df15e6d8b0290d20913696ce210318

Download Submit
memory/3084-0-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3084-2-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/3084-1-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/3084-10-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3608-14-0x00000000007B0000-0x00000000007B0000-memory.dmp

Download
memory/3844-9-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/3844-13-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download