26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0

Analysis

Target

26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0.exe
Size

1.2MB
MD5

b5c62f489422f627cff6c315b8556a2f
SHA1

afbef151e8d4037c68c00c51094aadf2d733b136
SHA256

26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0
SHA512

18ec6e684301732d94f018438174939eaf6681328f567a6659a74c380eb389f5510bbbd6c9151276ad1a110c4cd61b6e05f63986b642d7190cf364ced7e97d4d

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
964	bobyse.exe

Loads dropped DLL 2 IoCs

pid	Process
1552	26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0.exe
1552	26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\bodbof\bobyse.exe:ZoneIdentifier	26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1552	26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 964	1552	26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0.exe	27
PID 1552 wrote to memory of 964	1552	26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0.exe	27
PID 1552 wrote to memory of 964	1552	26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0.exe	27
PID 1552 wrote to memory of 964	1552	26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0.exe	27

C:\Users\Admin\AppData\Local\Temp\26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0.exe
"C:\Users\Admin\AppData\Local\Temp\26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0.exe"
1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Roaming\bodbof\bobyse.exe
  "C:\Users\Admin\AppData\Roaming\bodbof\bobyse.exe"
  2⤵
  - Executes dropped EXE
  PID:964

C:\Users\Admin\AppData\Roaming\bodbof\bobyse.exe

Filesize
1.2MB

MD5
b5c62f489422f627cff6c315b8556a2f

SHA1
afbef151e8d4037c68c00c51094aadf2d733b136

SHA256
26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0

SHA512
18ec6e684301732d94f018438174939eaf6681328f567a6659a74c380eb389f5510bbbd6c9151276ad1a110c4cd61b6e05f63986b642d7190cf364ced7e97d4d

Download Submit
\Users\Admin\AppData\Roaming\bodbof\bobyse.exe

Filesize
1.2MB

MD5
b5c62f489422f627cff6c315b8556a2f

SHA1
afbef151e8d4037c68c00c51094aadf2d733b136

SHA256
26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0

SHA512
18ec6e684301732d94f018438174939eaf6681328f567a6659a74c380eb389f5510bbbd6c9151276ad1a110c4cd61b6e05f63986b642d7190cf364ced7e97d4d

Download Submit
\Users\Admin\AppData\Roaming\bodbof\bobyse.exe

Filesize
1.2MB

MD5
b5c62f489422f627cff6c315b8556a2f

SHA1
afbef151e8d4037c68c00c51094aadf2d733b136

SHA256
26c064928cc325512536187c4fd8a4d950763ebaf6c55799ba91c7ee7349fbd0

SHA512
18ec6e684301732d94f018438174939eaf6681328f567a6659a74c380eb389f5510bbbd6c9151276ad1a110c4cd61b6e05f63986b642d7190cf364ced7e97d4d

Download Submit
memory/1552-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download