337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68

Analysis

max time kernel
40s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 15:55

Target

337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe
Size

728KB
MD5

914802026021e4833f94641a64387721
SHA1

b9decb867728e00703f3e1a5d5d04570d1005a02
SHA256

337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68
SHA512

43ef9a29453c4e47610a84c553dcbcb9974fe8e432a7e16794b5e5a8f907768dbc7070c062ed6a4b7665c18287d6b84811f306ad2da55df880a9e2a81c663f49
SSDEEP

12288:KRDUdycmIpgnSS3Afn1BIzKBpCPrUqPnvt8:KFUdPSSOAP1+zwQjHPnvt8

Score

1^/10

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe

pid	process
772	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe
772	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe
772	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe

pid	process
772	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe
772	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exenet.exe

description	pid	process	target process
PID 772 wrote to memory of 892	772	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe	net.exe
PID 772 wrote to memory of 892	772	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe	net.exe
PID 772 wrote to memory of 892	772	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe	net.exe
PID 772 wrote to memory of 892	772	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe	net.exe
PID 892 wrote to memory of 464	892	net.exe	net1.exe
PID 892 wrote to memory of 464	892	net.exe	net1.exe
PID 892 wrote to memory of 464	892	net.exe	net1.exe
PID 892 wrote to memory of 464	892	net.exe	net1.exe

C:\Windows\SysWOW64\net.exe
net user Administrator xiaotaodiaoyv
2⤵
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user Administrator xiaotaodiaoyv
3⤵
PID:464

memory/464-56-0x0000000000000000-mapping.dmp

Download
memory/772-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/892-55-0x0000000000000000-mapping.dmp

Download