c564c0450bd7792b93ffa8e9e238f710e2b5ce46c21de499f83ca764477fdab6

Analysis

max time kernel
89s
max time network
46s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
25-07-2022 02:34

Target

c564c0450bd7792b93ffa8e9e238f710e2b5ce46c21de499f83ca764477fdab6.exe
Size

580KB
MD5

4d6a0789205bf65317eb37a2676ca96f
SHA1

c4226234299a9b1a5a6d6c0f2aa015d0e14e724b
SHA256

c564c0450bd7792b93ffa8e9e238f710e2b5ce46c21de499f83ca764477fdab6
SHA512

5cbe84f43860b64a3a2a97c7845bd5d2916a2bf48d5cb6482f55fb62844ed29e01801e4650aa198a6e615fd1195d08eecada2a44767da36111fe91b86cc755cb

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

xrvb.exe

pid process

276 xrvb.exe

pid	process
276	xrvb.exe

Loads dropped DLL 2 IoCs

Processes:

c564c0450bd7792b93ffa8e9e238f710e2b5ce46c21de499f83ca764477fdab6.exe

pid	process
1904	c564c0450bd7792b93ffa8e9e238f710e2b5ce46c21de499f83ca764477fdab6.exe
1904	c564c0450bd7792b93ffa8e9e238f710e2b5ce46c21de499f83ca764477fdab6.exe

NTFS ADS 1 IoCs

Processes:

c564c0450bd7792b93ffa8e9e238f710e2b5ce46c21de499f83ca764477fdab6.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\gmst\xrvb.exe:ZoneIdentifier	c564c0450bd7792b93ffa8e9e238f710e2b5ce46c21de499f83ca764477fdab6.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

c564c0450bd7792b93ffa8e9e238f710e2b5ce46c21de499f83ca764477fdab6.exe

pid process

1904 c564c0450bd7792b93ffa8e9e238f710e2b5ce46c21de499f83ca764477fdab6.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

c564c0450bd7792b93ffa8e9e238f710e2b5ce46c21de499f83ca764477fdab6.exe

description	pid	process	target process
PID 1904 wrote to memory of 276	1904	c564c0450bd7792b93ffa8e9e238f710e2b5ce46c21de499f83ca764477fdab6.exe	xrvb.exe
PID 1904 wrote to memory of 276	1904	c564c0450bd7792b93ffa8e9e238f710e2b5ce46c21de499f83ca764477fdab6.exe	xrvb.exe
PID 1904 wrote to memory of 276	1904	c564c0450bd7792b93ffa8e9e238f710e2b5ce46c21de499f83ca764477fdab6.exe	xrvb.exe
PID 1904 wrote to memory of 276	1904	c564c0450bd7792b93ffa8e9e238f710e2b5ce46c21de499f83ca764477fdab6.exe	xrvb.exe

C:\Users\Admin\AppData\Roaming\gmst\xrvb.exe
"C:\Users\Admin\AppData\Roaming\gmst\xrvb.exe"
2⤵
- Executes dropped EXE
PID:276

C:\Users\Admin\AppData\Roaming\gmst\xrvb.exe

Filesize
580KB

MD5
4d6a0789205bf65317eb37a2676ca96f

SHA1
c4226234299a9b1a5a6d6c0f2aa015d0e14e724b

SHA256
c564c0450bd7792b93ffa8e9e238f710e2b5ce46c21de499f83ca764477fdab6

SHA512
5cbe84f43860b64a3a2a97c7845bd5d2916a2bf48d5cb6482f55fb62844ed29e01801e4650aa198a6e615fd1195d08eecada2a44767da36111fe91b86cc755cb

Download Submit
\Users\Admin\AppData\Roaming\gmst\xrvb.exe

Filesize
580KB

MD5
4d6a0789205bf65317eb37a2676ca96f

SHA1
c4226234299a9b1a5a6d6c0f2aa015d0e14e724b

SHA256
c564c0450bd7792b93ffa8e9e238f710e2b5ce46c21de499f83ca764477fdab6

SHA512
5cbe84f43860b64a3a2a97c7845bd5d2916a2bf48d5cb6482f55fb62844ed29e01801e4650aa198a6e615fd1195d08eecada2a44767da36111fe91b86cc755cb

Download Submit
\Users\Admin\AppData\Roaming\gmst\xrvb.exe

Filesize
580KB

MD5
4d6a0789205bf65317eb37a2676ca96f

SHA1
c4226234299a9b1a5a6d6c0f2aa015d0e14e724b

SHA256
c564c0450bd7792b93ffa8e9e238f710e2b5ce46c21de499f83ca764477fdab6

SHA512
5cbe84f43860b64a3a2a97c7845bd5d2916a2bf48d5cb6482f55fb62844ed29e01801e4650aa198a6e615fd1195d08eecada2a44767da36111fe91b86cc755cb

Download Submit
memory/276-57-0x0000000000000000-mapping.dmp

Download
memory/1904-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/1904-59-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download