c7b130f5b5a0c5d2fa4d202143d40393eccd2bcf563c7496a51ee267dd50bc16

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
19-06-2024 01:02

Target

3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb.exe
Size

1.1MB
MD5

ec066ae04c36cf907aafa4448b614467
SHA1

b53d01c464f61e4654286e8650bb171be14902cf
SHA256

3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb
SHA512

b30f55db38a1c4297c50d3d7e87748ee7f5d203a002d58a61d5770394bc39a7c1b46b50fa094282eb21330830ea7fa523e3eb5c0ac7f1229ded244c8a3e4529f
SSDEEP

24576:gqDEvCTbMWu7rQYlBQcBiT6rprG8ap3H+1PNrT:gTvC/MTQYxsWR7aZe1PNr

Score

7^/10

Drops startup file 1 IoCs

Processes:

name.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe
Executes dropped EXE 1 IoCs

Processes:

name.exe

pid process

4084 name.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

pid	process
4084	name.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\directory\name.exe	autoit_exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2132 4084 WerFault.exe name.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

name.exe

pid process

4084 name.exe

pid	pid_target	process	target process
2132	4084	WerFault.exe	name.exe

pid	process
4084	name.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb.exename.exe

pid	process
2688	3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb.exe
2688	3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb.exe
4084	name.exe
4084	name.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb.exename.exe

pid	process
2688	3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb.exe
2688	3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb.exe
4084	name.exe
4084	name.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb.exename.exe

description	pid	process	target process
PID 2688 wrote to memory of 4084	2688	3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb.exe	name.exe
PID 2688 wrote to memory of 4084	2688	3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb.exe	name.exe
PID 2688 wrote to memory of 4084	2688	3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb.exe	name.exe
PID 4084 wrote to memory of 4244	4084	name.exe	RegSvcs.exe
PID 4084 wrote to memory of 4244	4084	name.exe	RegSvcs.exe
PID 4084 wrote to memory of 4244	4084	name.exe	RegSvcs.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb.exe"
3⤵
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 700
3⤵
- Program crash
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4084 -ip 4084
1⤵
PID:3872

C:\Users\Admin\AppData\Local\Temp\antiprimer
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\demonetising
Filesize
28KB

MD5
2893d98764427db040762730399d7d54

SHA1
fed5a731656fc6de9f96ed35d108345043fa4fee

SHA256
8ac05f366cd7ec1a747987d808de1979e9e7a1eb11dd0a69e47fda8e7bfe5af9

SHA512
e4b9454f5aa2af9c7fca01fb467afad76579c7a13952c134547ac4b1f8e563566c62e9417ece91fa4d2758c10a414accade5ed446298374bfa53ee283778e1b6

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe
Filesize
1.1MB

MD5
ec066ae04c36cf907aafa4448b614467

SHA1
b53d01c464f61e4654286e8650bb171be14902cf

SHA256
3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb

SHA512
b30f55db38a1c4297c50d3d7e87748ee7f5d203a002d58a61d5770394bc39a7c1b46b50fa094282eb21330830ea7fa523e3eb5c0ac7f1229ded244c8a3e4529f

Download Submit
memory/2688-10-0x0000000003DB0000-0x0000000003DB4000-memory.dmp

Filesize
16KB

Download