f8eba1be5f2168b86296f49f1a84d113ed3d4a13f1e01fd3c5bac28341ada2be

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11-10-2022 04:31

Target

f8eba1be5f2168b86296f49f1a84d113ed3d4a13f1e01fd3c5bac28341ada2be.exe
Size

96KB
MD5

602abc80786d41f1ebee8bbabb666250
SHA1

7559880afa96e5c5b866f799cfe5192a5d315f80
SHA256

f8eba1be5f2168b86296f49f1a84d113ed3d4a13f1e01fd3c5bac28341ada2be
SHA512

23afbf2c342f09d0ae7e81562cccf65a931130dbcb4a5036cfde386c179c797a236521e999aac3c2c5dbf5d12d94e6d909cf59d640720ab1b8fb2c39e8c25d90
SSDEEP

384:TjYpo+aXfjYpo+aX2XW/YDxuBeUvKpCK6jKaU5iFezF24:TjYpzCjYpzNG/OkWCK6jgvb

Score

7^/10

Deletes itself 1 IoCs

pid	Process
936	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1080	f8eba1be5f2168b86296f49f1a84d113ed3d4a13f1e01fd3c5bac28341ada2be.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\gdhnxai32.cfg	f8eba1be5f2168b86296f49f1a84d113ed3d4a13f1e01fd3c5bac28341ada2be.exe
File opened for modification	C:\Windows\SysWOW64\gdhnxai32.dll	f8eba1be5f2168b86296f49f1a84d113ed3d4a13f1e01fd3c5bac28341ada2be.exe
File created	C:\Windows\SysWOW64\gdhnxai32.dll	f8eba1be5f2168b86296f49f1a84d113ed3d4a13f1e01fd3c5bac28341ada2be.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1080	f8eba1be5f2168b86296f49f1a84d113ed3d4a13f1e01fd3c5bac28341ada2be.exe

Suspicious behavior: LoadsDriver 39 IoCs

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 936	1080	f8eba1be5f2168b86296f49f1a84d113ed3d4a13f1e01fd3c5bac28341ada2be.exe	28
PID 1080 wrote to memory of 936	1080	f8eba1be5f2168b86296f49f1a84d113ed3d4a13f1e01fd3c5bac28341ada2be.exe	28
PID 1080 wrote to memory of 936	1080	f8eba1be5f2168b86296f49f1a84d113ed3d4a13f1e01fd3c5bac28341ada2be.exe	28
PID 1080 wrote to memory of 936	1080	f8eba1be5f2168b86296f49f1a84d113ed3d4a13f1e01fd3c5bac28341ada2be.exe	28

C:\Users\Admin\AppData\Local\Temp\f8eba1be5f2168b86296f49f1a84d113ed3d4a13f1e01fd3c5bac28341ada2be.exe
"C:\Users\Admin\AppData\Local\Temp\f8eba1be5f2168b86296f49f1a84d113ed3d4a13f1e01fd3c5bac28341ada2be.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f8eba1be5f2168b86296f49f1a84d113ed3d4a13f1e01fd3c5bac28341ada2be.exe"
  2⤵
  - Deletes itself
  PID:936

\Windows\SysWOW64\gdhnxai32.dll

Filesize
13KB

MD5
cb7fd09ac9df29a722acc0ca046f7f38

SHA1
d57f00e54059d2e0dc4968b89d527ed45849b042

SHA256
05cd3ea0ac925d4d2656996e0d36b5bcfe44615691aeb282ad3af9af3e892848

SHA512
aad257d56ce61d8d51f6ac2a0bd4cc6aaa58689aa39c21a435803ef44d5f26b081ff2ab19303c38bb6713071e161907bc52ea8203bb6eae6405414b277bb9d46

Download Submit
memory/936-56-0x0000000000000000-mapping.dmp

Download
memory/1080-55-0x0000000025000000-0x000000002501B000-memory.dmp

Filesize
108KB

Download
memory/1080-57-0x0000000025000000-0x000000002501B000-memory.dmp

Filesize
108KB

Download