1cb8638e951d4a48f8ebb77f6eca93b801f44b076e2c00f650725ae3a6bace6e

Analysis

max time kernel
141s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2022, 10:10

Target

1cb8638e951d4a48f8ebb77f6eca93b801f44b076e2c00f650725ae3a6bace6e.exe
Size

44KB
MD5

6e5b82915b627b27aaeafc383b6d4ef0
SHA1

7ed9e9a1167f5b1f318871e5960bbb6629895915
SHA256

1cb8638e951d4a48f8ebb77f6eca93b801f44b076e2c00f650725ae3a6bace6e
SHA512

7733bdb99a20b0bae06cd3d347171306f662872b5c3bd71c4671f0d87a77995925dd31128e64795ce14ac8483aa540241334bc57f3d9949fcadca04448e3b121
SSDEEP

768:AWsyqAggh4nfZ11jwjvKrEIJiQeLCXv/NIS6Ydpb5+o6+6rE6ZyhHpox:rsyqFgOD9eKQ/Cf/NISvDb5r+rErpox

Score

8^/10

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\svchost.exe	1cb8638e951d4a48f8ebb77f6eca93b801f44b076e2c00f650725ae3a6bace6e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\svchost.exe	1cb8638e951d4a48f8ebb77f6eca93b801f44b076e2c00f650725ae3a6bace6e.exe
File created	C:\Windows\SysWOW64\drivers\svchost.exe	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
4896	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 4896	4880	1cb8638e951d4a48f8ebb77f6eca93b801f44b076e2c00f650725ae3a6bace6e.exe	82
PID 4880 wrote to memory of 4896	4880	1cb8638e951d4a48f8ebb77f6eca93b801f44b076e2c00f650725ae3a6bace6e.exe	82
PID 4880 wrote to memory of 4896	4880	1cb8638e951d4a48f8ebb77f6eca93b801f44b076e2c00f650725ae3a6bace6e.exe	82
PID 4880 wrote to memory of 4788	4880	1cb8638e951d4a48f8ebb77f6eca93b801f44b076e2c00f650725ae3a6bace6e.exe	83
PID 4880 wrote to memory of 4788	4880	1cb8638e951d4a48f8ebb77f6eca93b801f44b076e2c00f650725ae3a6bace6e.exe	83
PID 4880 wrote to memory of 4788	4880	1cb8638e951d4a48f8ebb77f6eca93b801f44b076e2c00f650725ae3a6bace6e.exe	83

C:\Users\Admin\AppData\Local\Temp\1cb8638e951d4a48f8ebb77f6eca93b801f44b076e2c00f650725ae3a6bace6e.exe
"C:\Users\Admin\AppData\Local\Temp\1cb8638e951d4a48f8ebb77f6eca93b801f44b076e2c00f650725ae3a6bace6e.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\SysWOW64\drivers\svchost.exe
  "C:\Windows\system32\drivers\svchost.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  PID:4896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\\rs.bat C:\Users\Admin\AppData\Local\Temp\1cb8638e951d4a48f8ebb77f6eca93b801f44b076e2c00f650725ae3a6bace6e.exe
  2⤵
  PID:4788

C:\Users\Admin\AppData\Local\Temp\rs.bat

Filesize
105B

MD5
c33c3bd528b74ef8e010cd3b5f3950aa

SHA1
c8fafd5f2a514aaf64259565aaae8d0450444be3

SHA256
4a9b066077e5b57aaf2d54e23c023ed6558b89d4955a0f94e5c39257ad7e9df8

SHA512
92e85b2a6ea5d06b9258f37ded20605807fd26ec3b402452e90cde26148f05b609f336e6844b92d0357e84ba462ba9acab7ea1ee3de1693b7955301f458e87c9

Download Submit
C:\Windows\SysWOW64\drivers\svchost.exe

Filesize
44KB

MD5
6e5b82915b627b27aaeafc383b6d4ef0

SHA1
7ed9e9a1167f5b1f318871e5960bbb6629895915

SHA256
1cb8638e951d4a48f8ebb77f6eca93b801f44b076e2c00f650725ae3a6bace6e

SHA512
7733bdb99a20b0bae06cd3d347171306f662872b5c3bd71c4671f0d87a77995925dd31128e64795ce14ac8483aa540241334bc57f3d9949fcadca04448e3b121

Download Submit
C:\Windows\SysWOW64\drivers\svchost.exe

Filesize
44KB

MD5
6e5b82915b627b27aaeafc383b6d4ef0

SHA1
7ed9e9a1167f5b1f318871e5960bbb6629895915

SHA256
1cb8638e951d4a48f8ebb77f6eca93b801f44b076e2c00f650725ae3a6bace6e

SHA512
7733bdb99a20b0bae06cd3d347171306f662872b5c3bd71c4671f0d87a77995925dd31128e64795ce14ac8483aa540241334bc57f3d9949fcadca04448e3b121

Download Submit
memory/4880-132-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4896-136-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download