e4a33d31e8b0a23953cd865e04e1f365d590b83e36534f24ba9ae751a0beaa31

Analysis

max time kernel
134s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 11:58

Target

e4a33d31e8b0a23953cd865e04e1f365d590b83e36534f24ba9ae751a0beaa31.exe
Size

73KB
MD5

6f898d85740ad13b1e785ae5d464c8b0
SHA1

1c855487badca3b6dcf66f685373322877f52cc2
SHA256

e4a33d31e8b0a23953cd865e04e1f365d590b83e36534f24ba9ae751a0beaa31
SHA512

a104b716da7c4d439dbee9f077eee34ad37131ad2b30d8b038231a7b278149b2d00d75d80dfe296abed373d18bba4bdb29c80b21a85c89f2c1079f4ca1e1a7e9
SSDEEP

1536:HbLmocWK5QPqfhVWbdsmA+RjPFLC+e5hi0ZGUGf2g:H9NPqfcxA+HFshiOg

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
4940	[email protected]

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 4824	1240	e4a33d31e8b0a23953cd865e04e1f365d590b83e36534f24ba9ae751a0beaa31.exe	81
PID 1240 wrote to memory of 4824	1240	e4a33d31e8b0a23953cd865e04e1f365d590b83e36534f24ba9ae751a0beaa31.exe	81
PID 1240 wrote to memory of 4824	1240	e4a33d31e8b0a23953cd865e04e1f365d590b83e36534f24ba9ae751a0beaa31.exe	81
PID 4824 wrote to memory of 4940	4824	cmd.exe	82
PID 4824 wrote to memory of 4940	4824	cmd.exe	82
PID 4824 wrote to memory of 4940	4824	cmd.exe	82
PID 4940 wrote to memory of 660	4940	[email protected]	83
PID 4940 wrote to memory of 660	4940	[email protected]	83
PID 4940 wrote to memory of 660	4940	[email protected]	83

C:\Users\Admin\AppData\Local\Temp\e4a33d31e8b0a23953cd865e04e1f365d590b83e36534f24ba9ae751a0beaa31.exe
"C:\Users\Admin\AppData\Local\Temp\e4a33d31e8b0a23953cd865e04e1f365d590b83e36534f24ba9ae751a0beaa31.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 00.exe
      4⤵
      PID:660

C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
73KB

MD5
a38317d4fb131cce99d8dfc7ae3cb7db

SHA1
be05d9bfb0f240bc9405ba282a03a626df9f72d9

SHA256
7a0dcb71a26982d51d3c597c1b660692d8e8770e55751c15f656b3b480228215

SHA512
f48b9829e6a4d837a9cb4dee62b15a911ae152b11c128e60d7049df7795439ecee5717789b6323678d4116e330c4e2d977dae0ea8ab87f318678b4992d71a291

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
73KB

MD5
a38317d4fb131cce99d8dfc7ae3cb7db

SHA1
be05d9bfb0f240bc9405ba282a03a626df9f72d9

SHA256
7a0dcb71a26982d51d3c597c1b660692d8e8770e55751c15f656b3b480228215

SHA512
f48b9829e6a4d837a9cb4dee62b15a911ae152b11c128e60d7049df7795439ecee5717789b6323678d4116e330c4e2d977dae0ea8ab87f318678b4992d71a291

Download Submit
C:\Users\Admin\AppData\Local\Temp\00.exe

Filesize
2KB

MD5
7b621943a35e7f39cf89f50cc48d7b94

SHA1
2858a28cf60f38025fffcd0ba2ecfec8511c197d

SHA256
bef04c2f89dc115ce2763558933dba1767bf30cda6856d335ae68955923f9991

SHA512
4169e664ad4e7e6891a05ceed78465e0ec44879b37fc0de97c014945e10c161f6bfb040efc24edc136e69bb115b2a1327b04cefb58141f712da856129872e8f1

Download Submit