dcde664ea5fb133e5db36cb4b0c30e486aec71ee2e87cefd829fad4c9bbf932a

Analysis

max time kernel
43s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18/09/2022, 22:56

Target

dcde664ea5fb133e5db36cb4b0c30e486aec71ee2e87cefd829fad4c9bbf932a.exe
Size

262KB
MD5

a68e25da1c5cad08d16b2dfc9008e6f2
SHA1

4e54ce42bb67e7e454a78fbef8aaac836d051cd6
SHA256

dcde664ea5fb133e5db36cb4b0c30e486aec71ee2e87cefd829fad4c9bbf932a
SHA512

18ad115352d2ffaf8885dc79056f59fc4315ae28fad034cb50e08245806ce188892b154fd8156463dfd7bd944f50f9c1b999b9a8341e980358e474ae284862f3
SSDEEP

6144:3OVhU87xUIAinrtwUK1gg3gO8L5857UhXsu6EJXRJqFYMSSLqqDkmco/ZKmGpk:OhjUtYwUKd3gSgXsu6EJXRJqFmSmq2En

Score

7^/10

Deletes itself 1 IoCs

pid	Process
1636	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1788	dcde664ea5fb133e5db36cb4b0c30e486aec71ee2e87cefd829fad4c9bbf932a.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ro.dll	dcde664ea5fb133e5db36cb4b0c30e486aec71ee2e87cefd829fad4c9bbf932a.exe
File created	C:\Windows\SysWOW64\ro.dll	dcde664ea5fb133e5db36cb4b0c30e486aec71ee2e87cefd829fad4c9bbf932a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 1636	1788	dcde664ea5fb133e5db36cb4b0c30e486aec71ee2e87cefd829fad4c9bbf932a.exe	28
PID 1788 wrote to memory of 1636	1788	dcde664ea5fb133e5db36cb4b0c30e486aec71ee2e87cefd829fad4c9bbf932a.exe	28
PID 1788 wrote to memory of 1636	1788	dcde664ea5fb133e5db36cb4b0c30e486aec71ee2e87cefd829fad4c9bbf932a.exe	28
PID 1788 wrote to memory of 1636	1788	dcde664ea5fb133e5db36cb4b0c30e486aec71ee2e87cefd829fad4c9bbf932a.exe	28

C:\Users\Admin\AppData\Local\Temp\dcde664ea5fb133e5db36cb4b0c30e486aec71ee2e87cefd829fad4c9bbf932a.exe
"C:\Users\Admin\AppData\Local\Temp\dcde664ea5fb133e5db36cb4b0c30e486aec71ee2e87cefd829fad4c9bbf932a.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\52024del.bat
  2⤵
  - Deletes itself
  PID:1636

C:\Users\Admin\AppData\Local\Temp\52024del.bat

Filesize
228B

MD5
391f6ee1cc8584a2b2eb10fe738e73da

SHA1
4e5edaf0833d8b33a0b403465ddd777b4cf81b4d

SHA256
7ffd4dedc60a2c745463f366472bdbeec765f949a9fc005d29106f68e99c5dc1

SHA512
34e8dae4ebcef5bc874e59f92f47e5cfcc061f4b5366f2b0ac97a09afacf93003d46426d867fbad54b28b44b41049e7074a74fa81190a9e74ba25ee715e4161d

Download Submit
\Windows\SysWOW64\ro.dll

Filesize
193KB

MD5
be73caf440f0258ac581866e62504e26

SHA1
f0266d52ebf38b15f59ceea1eac4069abd27e491

SHA256
d4e465480c5b2e220ef98e6025d249853ce80c64a5e3e2939752c175846fc358

SHA512
938fdb55e40fac6f4a38ff57cd657b7f394d595ea80c450a616a107e23d07bf02cd7f8ce13deb977cc1b399761bb16e75c1e045eaa33b9f7198e69d2a6421342

Download Submit
memory/1788-54-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1788-56-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/1788-58-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download