e4deec56c577db67bb846507c220e9622e61407a1d720142d8cbe6cc64add834

Analysis

max time kernel
188s
max time network
73s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20-10-2022 19:21

Target

e4deec56c577db67bb846507c220e9622e61407a1d720142d8cbe6cc64add834.exe
Size

140KB
MD5

a091cf95000bafd056405970880564e0
SHA1

c073ba6662284a0950290cea636434b871b34ab1
SHA256

e4deec56c577db67bb846507c220e9622e61407a1d720142d8cbe6cc64add834
SHA512

e57035331dafcf4f8d141305f372184221180d90a07b977e1674f1889ed852293390e085f49d59bb9222ce5a64e0ded92cb2289dd9a34951383eeea019ac5c07
SSDEEP

3072:TuZvTy0r7sR7+lcFFyqYXA5vj62+bv+9mS7AZoOP0:iBDqEAjt2+FAZoOM

Score

4^/10

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\Windows\E2A24B4F.exe	e4deec56c577db67bb846507c220e9622e61407a1d720142d8cbe6cc64add834.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1364	e4deec56c577db67bb846507c220e9622e61407a1d720142d8cbe6cc64add834.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 1508	1364	e4deec56c577db67bb846507c220e9622e61407a1d720142d8cbe6cc64add834.exe	27
PID 1364 wrote to memory of 1508	1364	e4deec56c577db67bb846507c220e9622e61407a1d720142d8cbe6cc64add834.exe	27
PID 1364 wrote to memory of 1508	1364	e4deec56c577db67bb846507c220e9622e61407a1d720142d8cbe6cc64add834.exe	27
PID 1364 wrote to memory of 1508	1364	e4deec56c577db67bb846507c220e9622e61407a1d720142d8cbe6cc64add834.exe	27
PID 1364 wrote to memory of 1508	1364	e4deec56c577db67bb846507c220e9622e61407a1d720142d8cbe6cc64add834.exe	27
PID 1364 wrote to memory of 1508	1364	e4deec56c577db67bb846507c220e9622e61407a1d720142d8cbe6cc64add834.exe	27
PID 1364 wrote to memory of 1508	1364	e4deec56c577db67bb846507c220e9622e61407a1d720142d8cbe6cc64add834.exe	27

C:\Users\Admin\AppData\Local\Temp\e4deec56c577db67bb846507c220e9622e61407a1d720142d8cbe6cc64add834.exe
"C:\Users\Admin\AppData\Local\Temp\e4deec56c577db67bb846507c220e9622e61407a1d720142d8cbe6cc64add834.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\ilolijgbl.vbs" //B //Nologo
  2⤵
  PID:1508

C:\Users\Admin\AppData\Local\Temp\ilolijgbl.vbs

Filesize
93B

MD5
62ea2cb12f3e0e4a2232f6ddd0b4f447

SHA1
abca1f30ccf359d350a793afda9ee316b3ec4ead

SHA256
59c9050507c3bb2cd5a0f15f5ba26fd6406639314ab3ba59814a1f04985fd0e0

SHA512
8b48a6799d7d8dcc203ab15c0d6ec152cd3540587a49b1b2fa458f130eac6562c3f4692fd78dab3cf0e0a3ae1b3d5eac4c771e7788450421a4490b15d0edff1a

Download Submit
memory/1364-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/1508-55-0x0000000000000000-mapping.dmp

Download