753a66f032d0d7a7c310a2e5f98c54e95e3d404400224d592657a02079c668d5

Resubmissions

20-02-2024 22:17

max time kernel
98s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-02-2024 22:17

Target

loader.bat
Size

94B
MD5

921239f27bb2234b67d59178f126c4e3
SHA1

dcfb337b410b40159c6cecc298728246745250e8
SHA256

72098b728205382cccae1513b4758851372139a8e881066c679ce7321fb29ba6
SHA512

3df002ba6bf11f6b6b0d2dac2f940090b9160b8af124f9c36fefa57964562b9f4edffc2aa250633704f26fa720c770814d693a9ba0f93a55cbae8b0e65fcc7a1

Score

3^/10

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4364 3992 WerFault.exe rundll32.exe

pid	pid_target	process	target process
4364	3992	WerFault.exe	rundll32.exe

Modifies registry class 3 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mmpt0z3lb\DefaultIcon	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mmpt0z3lb	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mmpt0z3lb\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico"	rundll32.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 3588 wrote to memory of 4008	3588	cmd.exe	rundll32.exe
PID 3588 wrote to memory of 4008	3588	cmd.exe	rundll32.exe
PID 4008 wrote to memory of 3992	4008	rundll32.exe	rundll32.exe
PID 4008 wrote to memory of 3992	4008	rundll32.exe	rundll32.exe
PID 4008 wrote to memory of 3992	4008	rundll32.exe	rundll32.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\loader.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Windows\system32\rundll32.exe
  rundll32.exe fea155f714b3153192dfc11fba84609edf1e78bbb7f1d6979de6a9ab4077099d.dll,VisibleEntry
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe fea155f714b3153192dfc11fba84609edf1e78bbb7f1d6979de6a9ab4077099d.dll,VisibleEntry
    3⤵
    - Modifies registry class
    PID:3992
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 728
      4⤵
      Program crash
      PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3992 -ip 3992
1⤵
PID:2040

memory/3992-0-0x0000000002620000-0x0000000002707000-memory.dmp

Filesize
924KB

Download
memory/3992-1-0x0000000002710000-0x00000000027DD000-memory.dmp

Filesize
820KB

Download
memory/3992-3-0x0000000002710000-0x00000000027DD000-memory.dmp

Filesize
820KB

Download