8b8ae67ffad201f038c3571249b17b8c5f602801541a47ca088cbbdbbc79700d

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2024, 22:12

Target

e037d15c75045ccead0bc9e423800d59.exe
Size

18KB
MD5

e037d15c75045ccead0bc9e423800d59
SHA1

0c9c7185f47ef2e087cad3b6b2a63aeb08fd15f6
SHA256

8b8ae67ffad201f038c3571249b17b8c5f602801541a47ca088cbbdbbc79700d
SHA512

9926ed05ca2b2130953c58cda0f1ebd9c87dfcdd1557afc8f28f7fd92051919ee0eab2a1fc9f6c7756a313cd8d0440ca5f3ee6b443b6e45f7875ec7d2d08b639
SSDEEP

384:Hq4g0/4V3aFdHc5Y9e7cj+FPPNWhgPUMJi/NXcT19SkDieX0Vt:Kf0/4ZE8keYqFXUo4c/vX0P

Score

5^/10

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Deleteme.bat	e037d15c75045ccead0bc9e423800d59.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2960 set thread context of 3596	2960	e037d15c75045ccead0bc9e423800d59.exe	88

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1520	3596	WerFault.exe	88

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 3596	2960	e037d15c75045ccead0bc9e423800d59.exe	88
PID 2960 wrote to memory of 3596	2960	e037d15c75045ccead0bc9e423800d59.exe	88
PID 2960 wrote to memory of 3596	2960	e037d15c75045ccead0bc9e423800d59.exe	88
PID 2960 wrote to memory of 3596	2960	e037d15c75045ccead0bc9e423800d59.exe	88
PID 2960 wrote to memory of 3596	2960	e037d15c75045ccead0bc9e423800d59.exe	88
PID 2960 wrote to memory of 4916	2960	e037d15c75045ccead0bc9e423800d59.exe	90
PID 2960 wrote to memory of 4916	2960	e037d15c75045ccead0bc9e423800d59.exe	90
PID 2960 wrote to memory of 4916	2960	e037d15c75045ccead0bc9e423800d59.exe	90

C:\Users\Admin\AppData\Local\Temp\e037d15c75045ccead0bc9e423800d59.exe
"C:\Users\Admin\AppData\Local\Temp\e037d15c75045ccead0bc9e423800d59.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\SysWOW64\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:3596
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 12
    3⤵
    - Program crash
    PID:1520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\Deleteme.bat
  2⤵
  PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3596 -ip 3596
1⤵
PID:3940

C:\Windows\SysWOW64\Deleteme.bat

Filesize
184B

MD5
41c3a92f4047feef533b537069b45444

SHA1
aec911fc5656de97165bc81e20849e85f79b63ab

SHA256
71335f0fd29a3183c7cfcd28ce4e4db6930d9429e2d21a9ad397974feee1958d

SHA512
ab79705442bb975ff831efebb38555789e644f94491140fd6e6a6d2d1ea5fbf6a4089722ea63616bc022649e11c8e521882708858fa66903f44be5a374cf84ed

Download Submit
memory/2960-0-0x0000000000400000-0x0000000000414835-memory.dmp

Filesize
82KB

Download
memory/2960-1-0x0000000000400000-0x0000000000414835-memory.dmp

Filesize
82KB

Download
memory/2960-2-0x0000000000400000-0x0000000000414835-memory.dmp

Filesize
82KB

Download
memory/2960-6-0x0000000000400000-0x0000000000414835-memory.dmp

Filesize
82KB

Download
memory/3596-3-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download