e63bd15ddc778121c7918f4b4190e71b4a2369914a223aac568c2876afe74157

Analysis

Target

1.exe
Size

270KB
MD5

5b34d083589d75d37b031fa49c10c3aa
SHA1

211773bd1943499c4f5a3566c0f29bba202fb224
SHA256

e63bd15ddc778121c7918f4b4190e71b4a2369914a223aac568c2876afe74157
SHA512

2cb84c66934abc2a6cc81144b6f690a94c5d91ac61c1c7f2bd37da76a8133857070646f61492f913250bee66e8a116a5007064437645aef1fc5a60980dd9fac8

Score

1^/10

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

1.execmd.exe

description	pid	process	target process
PID 1276 wrote to memory of 1056	1276	1.exe	cmd.exe
PID 1276 wrote to memory of 1056	1276	1.exe	cmd.exe
PID 1276 wrote to memory of 1056	1276	1.exe	cmd.exe
PID 1056 wrote to memory of 2028	1056	cmd.exe	choice.exe
PID 1056 wrote to memory of 2028	1056	cmd.exe	choice.exe
PID 1056 wrote to memory of 2028	1056	cmd.exe	choice.exe
PID 1056 wrote to memory of 1000	1056	cmd.exe	1.exe
PID 1056 wrote to memory of 1000	1056	cmd.exe	1.exe
PID 1056 wrote to memory of 1000	1056	cmd.exe	1.exe

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Windows\system32\cmd.exe
  cmd /c choice /c y /d y /t 9 > NUL & start "" "C:\Users\Admin\AppData\Local\Temp\1.exe" wD6bUqfE kO5rG7fD & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\system32\choice.exe
    choice /c y /d y /t 9
    3⤵
    PID:2028
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe" wD6bUqfE kO5rG7fD
    3⤵
    PID:1000

memory/1276-55-0x000007FFFFF90000-0x000007FFFFFAF000-memory.dmp

Filesize
124KB

Download