2e427276a6632e6da83fdb27ec4feffebcb81506811d462710e68696baf2c8f8

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 22:54

Target

2e427276a6632e6da83fdb27ec4feffebcb81506811d462710e68696baf2c8f8.exe
Size

55KB
MD5

83969099bc3b747fea871cc976380182
SHA1

a657ca30d3eef9d8c70e87927409d0ff7be2fde5
SHA256

2e427276a6632e6da83fdb27ec4feffebcb81506811d462710e68696baf2c8f8
SHA512

a37678125aee60a6847fd0d393683b034b9e81adb099121f4a3b1c4908b3da6b8ca91b469ae4b3946b9abedaed126b900a1fc3ed1df7dece20f3de0feed0544e
SSDEEP

768:UZWkvx44yc6v1X4uMon4RQeB4cCM+ub7U2mysmi5iLaxn57qKfjdDsL22NnEd4bA:UZR4fFwon9eicp+tCOnlqqjFsmiA

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
4908	winspools.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winspools.exe	2e427276a6632e6da83fdb27ec4feffebcb81506811d462710e68696baf2c8f8.exe
File opened for modification	C:\Windows\SysWOW64\winspools.exe	2e427276a6632e6da83fdb27ec4feffebcb81506811d462710e68696baf2c8f8.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 4908	1684	2e427276a6632e6da83fdb27ec4feffebcb81506811d462710e68696baf2c8f8.exe	81
PID 1684 wrote to memory of 4908	1684	2e427276a6632e6da83fdb27ec4feffebcb81506811d462710e68696baf2c8f8.exe	81
PID 1684 wrote to memory of 4908	1684	2e427276a6632e6da83fdb27ec4feffebcb81506811d462710e68696baf2c8f8.exe	81
PID 1684 wrote to memory of 4932	1684	2e427276a6632e6da83fdb27ec4feffebcb81506811d462710e68696baf2c8f8.exe	82
PID 1684 wrote to memory of 4932	1684	2e427276a6632e6da83fdb27ec4feffebcb81506811d462710e68696baf2c8f8.exe	82
PID 1684 wrote to memory of 4932	1684	2e427276a6632e6da83fdb27ec4feffebcb81506811d462710e68696baf2c8f8.exe	82
PID 4932 wrote to memory of 1256	4932	cmd.exe	84
PID 4932 wrote to memory of 1256	4932	cmd.exe	84
PID 4932 wrote to memory of 1256	4932	cmd.exe	84
PID 4932 wrote to memory of 1512	4932	cmd.exe	85
PID 4932 wrote to memory of 1512	4932	cmd.exe	85
PID 4932 wrote to memory of 1512	4932	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\2e427276a6632e6da83fdb27ec4feffebcb81506811d462710e68696baf2c8f8.exe
"C:\Users\Admin\AppData\Local\Temp\2e427276a6632e6da83fdb27ec4feffebcb81506811d462710e68696baf2c8f8.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SysWOW64\winspools.exe
  C:\Windows\system32\winspools.exe
  2⤵
  - Executes dropped EXE
  PID:4908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c dir | del "C:\Users\Admin\AppData\Local\Temp\2e427276a6632e6da83fdb27ec4feffebcb81506811d462710e68696baf2c8f8.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" dir "
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\2e427276a6632e6da83fdb27ec4feffebcb81506811d462710e68696baf2c8f8.exe""
    3⤵
    PID:1512

C:\Windows\SysWOW64\winspools.exe

Filesize
55KB

MD5
83969099bc3b747fea871cc976380182

SHA1
a657ca30d3eef9d8c70e87927409d0ff7be2fde5

SHA256
2e427276a6632e6da83fdb27ec4feffebcb81506811d462710e68696baf2c8f8

SHA512
a37678125aee60a6847fd0d393683b034b9e81adb099121f4a3b1c4908b3da6b8ca91b469ae4b3946b9abedaed126b900a1fc3ed1df7dece20f3de0feed0544e

Download Submit
C:\Windows\SysWOW64\winspools.exe

Filesize
55KB

MD5
83969099bc3b747fea871cc976380182

SHA1
a657ca30d3eef9d8c70e87927409d0ff7be2fde5

SHA256
2e427276a6632e6da83fdb27ec4feffebcb81506811d462710e68696baf2c8f8

SHA512
a37678125aee60a6847fd0d393683b034b9e81adb099121f4a3b1c4908b3da6b8ca91b469ae4b3946b9abedaed126b900a1fc3ed1df7dece20f3de0feed0544e

Download Submit