Vr.rar

backendfu1m1
featuresanalog, overview
max_time_kernel113457
max_time_network16887
platformwindows7_x64
resourcewin7v20201028
submitted25-11-2020 10:45

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

0x000100000001ab9c-70.exe

Filesize

977KB

Completed

25-11-2020 10:47

Score

8 ^/10

MD5

5c6684e8c2b678de9e2776c6b50ddd72

SHA1

7d255100d811de745e6ee908d1e0f8ba4ff21add

SHA256

bb5d2c07ce902c78227325bf5f336c04335874445fc0635a6b67ae5ba9d2fefc

Executes dropped EXE
0x000100000001ab9c-70.tmp

Reported IOCs

pid process

1912 0x000100000001ab9c-70.tmp
Loads dropped DLL
0x000100000001ab9c-70.exe

Reported IOCs

pid process

1732 0x000100000001ab9c-70.exe
Suspicious behavior: GetForegroundWindowSpam
0x000100000001ab9c-70.tmp

Reported IOCs

pid process

1912 0x000100000001ab9c-70.tmp

Suspicious use of WriteProcessMemory

0x000100000001ab9c-70.exe

Reported IOCs

description	pid	process	target process
PID 1732 wrote to memory of 1912	1732	0x000100000001ab9c-70.exe	0x000100000001ab9c-70.tmp
PID 1732 wrote to memory of 1912	1732	0x000100000001ab9c-70.exe	0x000100000001ab9c-70.tmp
PID 1732 wrote to memory of 1912	1732	0x000100000001ab9c-70.exe	0x000100000001ab9c-70.tmp
PID 1732 wrote to memory of 1912	1732	0x000100000001ab9c-70.exe	0x000100000001ab9c-70.tmp
PID 1732 wrote to memory of 1912	1732	0x000100000001ab9c-70.exe	0x000100000001ab9c-70.tmp
PID 1732 wrote to memory of 1912	1732	0x000100000001ab9c-70.exe	0x000100000001ab9c-70.tmp
PID 1732 wrote to memory of 1912	1732	0x000100000001ab9c-70.exe	0x000100000001ab9c-70.tmp

C:\Users\Admin\AppData\Local\Temp\0x000100000001ab9c-70.exe

"C:\Users\Admin\AppData\Local\Temp\0x000100000001ab9c-70.exe"

Loads dropped DLL
Suspicious use of WriteProcessMemory

PID:1732

C:\Users\Admin\AppData\Local\Temp\is-NP8CK.tmp\0x000100000001ab9c-70.tmp

"C:\Users\Admin\AppData\Local\Temp\is-NP8CK.tmp\0x000100000001ab9c-70.tmp" /SL5="$50152,748569,121344,C:\Users\Admin\AppData\Local\Temp\0x000100000001ab9c-70.exe"

Executes dropped EXE
Suspicious behavior: GetForegroundWindowSpam

PID:1912

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\Temp\is-NP8CK.tmp\0x000100000001ab9c-70.tmp

MD5
1a8ac942e4c2302d349caaed9943360d

SHA1
a08ce743c3d90a2b713db3e58e747e7a00a32590

SHA256
db8341fc8e86f7b80fbe144aa9ceea3e3369b64dcd5998c5a7f186c304cfeb96

SHA512
d65e4f9846bb6fba5a8b4f9409b2576af041dfa9b453800c298ec810bd27cfcf28d1933bc79893aa79323654ab4b85e321b03eaf17d67f0e19c79749751e4aab

Download Submit
\Users\Admin\AppData\Local\Temp\is-NP8CK.tmp\0x000100000001ab9c-70.tmp

MD5
1a8ac942e4c2302d349caaed9943360d

SHA1
a08ce743c3d90a2b713db3e58e747e7a00a32590

SHA256
db8341fc8e86f7b80fbe144aa9ceea3e3369b64dcd5998c5a7f186c304cfeb96

SHA512
d65e4f9846bb6fba5a8b4f9409b2576af041dfa9b453800c298ec810bd27cfcf28d1933bc79893aa79323654ab4b85e321b03eaf17d67f0e19c79749751e4aab

Download Submit
memory/1912-1-0x0000000000000000-mapping.dmp

Download