5f081d89efa749004df9988197fdb31294b8a789077a89028047d4bbc75c8cf7

Analysis

max time kernel
39s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 07:20

Target

5f081d89efa749004df9988197fdb31294b8a789077a89028047d4bbc75c8cf7.exe
Size

68KB
MD5

a262f5076ac16b0de54b85c399922379
SHA1

53ec595e9709e0d33d21e37a188d3a3eb921fc49
SHA256

5f081d89efa749004df9988197fdb31294b8a789077a89028047d4bbc75c8cf7
SHA512

e84bec70cb87871f41c05137e34d59515f59e04c5fbad41ed9fc569c1fe025089b0e448d9649b4470f7cb64a289ff6a6c3fc5a2d3042ef58e2cdca1bac73ee08
SSDEEP

768:K8EyXFiQOgFpSafqnlZQBISf968C36JpW:K8fIWfKiISf96qpW

Score

7^/10

Deletes itself 1 IoCs

pid	Process
880	cmd.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\del.bat	5f081d89efa749004df9988197fdb31294b8a789077a89028047d4bbc75c8cf7.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 880	1428	5f081d89efa749004df9988197fdb31294b8a789077a89028047d4bbc75c8cf7.exe	27
PID 1428 wrote to memory of 880	1428	5f081d89efa749004df9988197fdb31294b8a789077a89028047d4bbc75c8cf7.exe	27
PID 1428 wrote to memory of 880	1428	5f081d89efa749004df9988197fdb31294b8a789077a89028047d4bbc75c8cf7.exe	27
PID 1428 wrote to memory of 880	1428	5f081d89efa749004df9988197fdb31294b8a789077a89028047d4bbc75c8cf7.exe	27
PID 1428 wrote to memory of 880	1428	5f081d89efa749004df9988197fdb31294b8a789077a89028047d4bbc75c8cf7.exe	27
PID 1428 wrote to memory of 880	1428	5f081d89efa749004df9988197fdb31294b8a789077a89028047d4bbc75c8cf7.exe	27
PID 1428 wrote to memory of 880	1428	5f081d89efa749004df9988197fdb31294b8a789077a89028047d4bbc75c8cf7.exe	27

C:\Users\Admin\AppData\Local\Temp\5f081d89efa749004df9988197fdb31294b8a789077a89028047d4bbc75c8cf7.exe
"C:\Users\Admin\AppData\Local\Temp\5f081d89efa749004df9988197fdb31294b8a789077a89028047d4bbc75c8cf7.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\del.bat
  2⤵
  - Deletes itself
  PID:880

C:\Windows\SysWOW64\del.bat

Filesize
284B

MD5
85499fb5594a27c0b88cb2f9763b67d8

SHA1
f92e595be0b21f735c049a81eb553ff98ca2fc81

SHA256
1171a6ba9abda31d8cb34375446d6c9539caacd414a3723b10e8c136d68fcbf9

SHA512
f73be6edce60b126fa3744d1ddeba2aad0aa5499bd991c0a19db183f3ea446ed6e11f7bc4846d3d6673cb0efb78bdcc7676e36edde701b504302be57773f70d2

Download Submit
memory/1428-54-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download