d32e8344fd18130cfdce09f862587b44ea8a4c4f79645788441984464888c6ff

Analysis

max time kernel
46s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 06:32

Target

d32e8344fd18130cfdce09f862587b44ea8a4c4f79645788441984464888c6ff.exe
Size

20KB
MD5

5efd05ade8ef57d2fc41309b01014070
SHA1

2e5505ae5edb8e159e5cbc60aad71ec5c54ed29a
SHA256

d32e8344fd18130cfdce09f862587b44ea8a4c4f79645788441984464888c6ff
SHA512

546020f2c02da0ac52ed0200e05739952d08cb7a65b3922627085541ae4d5bf56bc54bd275948bc794c983275e2cd2c7406e9145ad6bc7c6295a2734fcd8bbfd
SSDEEP

384:cwdXP4/h3I5WfxVPh8dgU3azE1s+o57Z/bSJEdyQMuZMt5CzwQkcMlbhma:cwR4Z3zZVPwqs6VjHAL5CnMlbhma

Score

7^/10

Deletes itself 1 IoCs

pid	Process
664	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1444	d32e8344fd18130cfdce09f862587b44ea8a4c4f79645788441984464888c6ff.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\eohsom.cfg	d32e8344fd18130cfdce09f862587b44ea8a4c4f79645788441984464888c6ff.exe
File opened for modification	C:\Windows\SysWOW64\eohsom.dll	d32e8344fd18130cfdce09f862587b44ea8a4c4f79645788441984464888c6ff.exe
File created	C:\Windows\SysWOW64\eohsom.dll	d32e8344fd18130cfdce09f862587b44ea8a4c4f79645788441984464888c6ff.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1444	d32e8344fd18130cfdce09f862587b44ea8a4c4f79645788441984464888c6ff.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 664	1444	d32e8344fd18130cfdce09f862587b44ea8a4c4f79645788441984464888c6ff.exe	27
PID 1444 wrote to memory of 664	1444	d32e8344fd18130cfdce09f862587b44ea8a4c4f79645788441984464888c6ff.exe	27
PID 1444 wrote to memory of 664	1444	d32e8344fd18130cfdce09f862587b44ea8a4c4f79645788441984464888c6ff.exe	27
PID 1444 wrote to memory of 664	1444	d32e8344fd18130cfdce09f862587b44ea8a4c4f79645788441984464888c6ff.exe	27

C:\Users\Admin\AppData\Local\Temp\d32e8344fd18130cfdce09f862587b44ea8a4c4f79645788441984464888c6ff.exe
"C:\Users\Admin\AppData\Local\Temp\d32e8344fd18130cfdce09f862587b44ea8a4c4f79645788441984464888c6ff.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\d32e8344fd18130cfdce09f862587b44ea8a4c4f79645788441984464888c6ff.exe"
  2⤵
  - Deletes itself
  PID:664

\Windows\SysWOW64\eohsom.dll

Filesize
17KB

MD5
da343336817e7b244ed57e6687bdf516

SHA1
89fd2fc6b03146f91b27eae59a32bd7565561e35

SHA256
70d242d2ea5a67249a87fc101cb53069cffef96463dd02bae71a19a015ef3b9b

SHA512
53d1f5bf9001ed68975c03ab5c864195eaf1f30986bd8d3958b30a0a148a338bf9a3181cc140ede993cd09d25f1b108762e54caf7f25eeac29c331ce7775719d

Download Submit
memory/1444-55-0x0000000025000000-0x0000000025021000-memory.dmp

Filesize
132KB

Download