462f28cd4d65b31132e10089945663daf4b23d6c43a1c3d576e9cd35f3597606

General

Target

462f28cd4d65b31132e10089945663daf4b23d6c43a1c3d576e9cd35f3597606.exe
Size

623KB
MD5

bbd98954a7a985e567d0b4d8a31bdc23
SHA1

cba56132198878a1030152d9be2fc960775c6aed
SHA256

462f28cd4d65b31132e10089945663daf4b23d6c43a1c3d576e9cd35f3597606
SHA512

2501241c5694f0d125a0cda4b77ec367bbccd817473897251da3287aaedf20cce74b119b010967b6aaeb7559c7cede2dd85d2c01d7062cc32ac2225e9459d1c2

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

smgu.exe

pid process

1940 smgu.exe

pid	process
1940	smgu.exe

Loads dropped DLL 2 IoCs

Processes:

462f28cd4d65b31132e10089945663daf4b23d6c43a1c3d576e9cd35f3597606.exe

pid	process
632	462f28cd4d65b31132e10089945663daf4b23d6c43a1c3d576e9cd35f3597606.exe
632	462f28cd4d65b31132e10089945663daf4b23d6c43a1c3d576e9cd35f3597606.exe

NTFS ADS 1 IoCs

Processes:

462f28cd4d65b31132e10089945663daf4b23d6c43a1c3d576e9cd35f3597606.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\dth54\smgu.exe:ZoneIdentifier	462f28cd4d65b31132e10089945663daf4b23d6c43a1c3d576e9cd35f3597606.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

462f28cd4d65b31132e10089945663daf4b23d6c43a1c3d576e9cd35f3597606.exe

pid process

632 462f28cd4d65b31132e10089945663daf4b23d6c43a1c3d576e9cd35f3597606.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

462f28cd4d65b31132e10089945663daf4b23d6c43a1c3d576e9cd35f3597606.exe

description	pid	process	target process
PID 632 wrote to memory of 1940	632	462f28cd4d65b31132e10089945663daf4b23d6c43a1c3d576e9cd35f3597606.exe	smgu.exe
PID 632 wrote to memory of 1940	632	462f28cd4d65b31132e10089945663daf4b23d6c43a1c3d576e9cd35f3597606.exe	smgu.exe
PID 632 wrote to memory of 1940	632	462f28cd4d65b31132e10089945663daf4b23d6c43a1c3d576e9cd35f3597606.exe	smgu.exe
PID 632 wrote to memory of 1940	632	462f28cd4d65b31132e10089945663daf4b23d6c43a1c3d576e9cd35f3597606.exe	smgu.exe

C:\Users\Admin\AppData\Local\Temp\462f28cd4d65b31132e10089945663daf4b23d6c43a1c3d576e9cd35f3597606.exe
"C:\Users\Admin\AppData\Local\Temp\462f28cd4d65b31132e10089945663daf4b23d6c43a1c3d576e9cd35f3597606.exe"
1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:632
- C:\Users\Admin\AppData\Roaming\dth54\smgu.exe
  "C:\Users\Admin\AppData\Roaming\dth54\smgu.exe"
  2⤵
  - Executes dropped EXE
  PID:1940

C:\Users\Admin\AppData\Roaming\dth54\smgu.exe

Filesize
623KB

MD5
bbd98954a7a985e567d0b4d8a31bdc23

SHA1
cba56132198878a1030152d9be2fc960775c6aed

SHA256
462f28cd4d65b31132e10089945663daf4b23d6c43a1c3d576e9cd35f3597606

SHA512
2501241c5694f0d125a0cda4b77ec367bbccd817473897251da3287aaedf20cce74b119b010967b6aaeb7559c7cede2dd85d2c01d7062cc32ac2225e9459d1c2

Download Submit
\Users\Admin\AppData\Roaming\dth54\smgu.exe

Filesize
623KB

MD5
bbd98954a7a985e567d0b4d8a31bdc23

SHA1
cba56132198878a1030152d9be2fc960775c6aed

SHA256
462f28cd4d65b31132e10089945663daf4b23d6c43a1c3d576e9cd35f3597606

SHA512
2501241c5694f0d125a0cda4b77ec367bbccd817473897251da3287aaedf20cce74b119b010967b6aaeb7559c7cede2dd85d2c01d7062cc32ac2225e9459d1c2

Download Submit
\Users\Admin\AppData\Roaming\dth54\smgu.exe

Filesize
623KB

MD5
bbd98954a7a985e567d0b4d8a31bdc23

SHA1
cba56132198878a1030152d9be2fc960775c6aed

SHA256
462f28cd4d65b31132e10089945663daf4b23d6c43a1c3d576e9cd35f3597606

SHA512
2501241c5694f0d125a0cda4b77ec367bbccd817473897251da3287aaedf20cce74b119b010967b6aaeb7559c7cede2dd85d2c01d7062cc32ac2225e9459d1c2

Download Submit
memory/632-54-0x0000000075391000-0x0000000075393000-memory.dmp

Filesize
8KB

Download
memory/1940-57-0x0000000000000000-mapping.dmp

Download