2e3ea80127421c6231d9585f44d9372487f9d77abe6915420464f2ad74c41a00

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2024 14:26

Target

cba4e3375e7ed8a08ee1be002cc114ce.exe
Size

22KB
MD5

cba4e3375e7ed8a08ee1be002cc114ce
SHA1

f0638ef68f1ba23c60beb06c29899f7cbc1af363
SHA256

2e3ea80127421c6231d9585f44d9372487f9d77abe6915420464f2ad74c41a00
SHA512

9b35ac9667e80fe668197b36dd5bebedb31e306731f269dcdda2a221c84fd5e9a9150bfe64bc9b005b58d94f6685f9905a75a144fd2bbe5bd753e0b622464016
SSDEEP

384:3B3zmWeqi7UJ77zhG4f/w+DW2QZFHMCL/o0xwBKjiUY3r+gimB8EsBBv3WcIr:3B3zxeK7sKwqYHMCLA0xGKjiU6r+c0zO

Score

7^/10

upx

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/3140-0-0x0000000000400000-0x0000000000414208-memory.dmp	upx
behavioral2/memory/3352-1-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/memory/3140-4-0x0000000000400000-0x0000000000414208-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Deledomn.bat	cba4e3375e7ed8a08ee1be002cc114ce.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3140 set thread context of 3352	3140	cba4e3375e7ed8a08ee1be002cc114ce.exe	88

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5000	3352	WerFault.exe	88

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 3352	3140	cba4e3375e7ed8a08ee1be002cc114ce.exe	88
PID 3140 wrote to memory of 3352	3140	cba4e3375e7ed8a08ee1be002cc114ce.exe	88
PID 3140 wrote to memory of 3352	3140	cba4e3375e7ed8a08ee1be002cc114ce.exe	88
PID 3140 wrote to memory of 3352	3140	cba4e3375e7ed8a08ee1be002cc114ce.exe	88
PID 3140 wrote to memory of 3352	3140	cba4e3375e7ed8a08ee1be002cc114ce.exe	88
PID 3140 wrote to memory of 3220	3140	cba4e3375e7ed8a08ee1be002cc114ce.exe	90
PID 3140 wrote to memory of 3220	3140	cba4e3375e7ed8a08ee1be002cc114ce.exe	90
PID 3140 wrote to memory of 3220	3140	cba4e3375e7ed8a08ee1be002cc114ce.exe	90

C:\Users\Admin\AppData\Local\Temp\cba4e3375e7ed8a08ee1be002cc114ce.exe
"C:\Users\Admin\AppData\Local\Temp\cba4e3375e7ed8a08ee1be002cc114ce.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe"
  2⤵
  PID:3352
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 12
    3⤵
    - Program crash
    PID:5000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\Deledomn.bat
  2⤵
  PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3352 -ip 3352
1⤵
PID:3488

C:\Windows\SysWOW64\Deledomn.bat

Filesize
184B

MD5
129612fd4c5aaaac1856c56756532e90

SHA1
359f72ad66d8f9002e1ace5a3a5004e12547f3f5

SHA256
3cda2cc393b632b65f0b4e7bf580ca8f1d2b257bb55cef380c2b6ac98cac5f12

SHA512
812056388e2af886b299d5ebd7e91a64af87bcd3d85c860d4c2e4a3e60855b889c2e452068ca7960ce7d701a473f391ae5b93a05952244eeb8a3525dbf1fca01

Download Submit
memory/3140-0-0x0000000000400000-0x0000000000414208-memory.dmp

Filesize
80KB

Download
memory/3140-4-0x0000000000400000-0x0000000000414208-memory.dmp

Filesize
80KB

Download
memory/3352-1-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3352-6-0x0000000000050000-0x0000000000050000-memory.dmp

Download