7556854937e56f78fec5ef3eb642edcb1cec454198acf4c012bf369f66bb71ea

Analysis

max time kernel
49s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28/11/2022, 06:08

Target

7556854937e56f78fec5ef3eb642edcb1cec454198acf4c012bf369f66bb71ea.exe
Size

356KB
MD5

77c5b14bbb92ded1ffdd415e9624d208
SHA1

0f0a4c2db9e443244db276ae811a266a0561506d
SHA256

7556854937e56f78fec5ef3eb642edcb1cec454198acf4c012bf369f66bb71ea
SHA512

ef547cde97de9d06b31c14d6070160e53bf94f73162889a7799651d5d56dc3799c935e6129748ac7c5b7d7659e5177d22c37b5335a377edacb6ea2325eeb9715
SSDEEP

6144:YJXPUF2odfWbeDA0kZtCiyxhrTWLSJxWqwQakUCz6:YtUFybe4YFEAxOQ1Nz

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
912	tmpNPYD.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
912	tmpNPYD.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
912	tmpNPYD.exe
912	tmpNPYD.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	912	tmpNPYD.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
912	tmpNPYD.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1500	2012	7556854937e56f78fec5ef3eb642edcb1cec454198acf4c012bf369f66bb71ea.exe	26
PID 2012 wrote to memory of 1500	2012	7556854937e56f78fec5ef3eb642edcb1cec454198acf4c012bf369f66bb71ea.exe	26
PID 2012 wrote to memory of 1500	2012	7556854937e56f78fec5ef3eb642edcb1cec454198acf4c012bf369f66bb71ea.exe	26
PID 1500 wrote to memory of 912	1500	cmd.exe	28
PID 1500 wrote to memory of 912	1500	cmd.exe	28
PID 1500 wrote to memory of 912	1500	cmd.exe	28
PID 1500 wrote to memory of 912	1500	cmd.exe	28

C:\Users\Admin\AppData\Local\Temp\7556854937e56f78fec5ef3eb642edcb1cec454198acf4c012bf369f66bb71ea.exe
"C:\Users\Admin\AppData\Local\Temp\7556854937e56f78fec5ef3eb642edcb1cec454198acf4c012bf369f66bb71ea.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\system32\cmd.exe
  "cmd" /c cd %temp% & start /B tmpNPYD.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\tmpNPYD.exe
    tmpNPYD.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:912

C:\Users\Admin\AppData\Local\Temp\tmpNPYD.exe

Filesize
280KB

MD5
6da6e11cf900c0825092b8e5c4cddde4

SHA1
b5f8461b74d432fad52de4d5d346da28a7f20e01

SHA256
f46162f715956e398a2e45babecc9b0407d3a7eba21f968009033457876627bf

SHA512
1130e21be836d1884fe4f4b543c692b4dbae8a911dd83a2e6cb79079e69e20234e682d08b488309d5dadf0e48d82709a10140f64f36a85defe0be288bc9ab672

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpNPYD.exe

Filesize
280KB

MD5
6da6e11cf900c0825092b8e5c4cddde4

SHA1
b5f8461b74d432fad52de4d5d346da28a7f20e01

SHA256
f46162f715956e398a2e45babecc9b0407d3a7eba21f968009033457876627bf

SHA512
1130e21be836d1884fe4f4b543c692b4dbae8a911dd83a2e6cb79079e69e20234e682d08b488309d5dadf0e48d82709a10140f64f36a85defe0be288bc9ab672

Download Submit
memory/912-60-0x0000000075E81000-0x0000000075E83000-memory.dmp

Filesize
8KB

Download
memory/912-61-0x0000000074520000-0x0000000074ACB000-memory.dmp

Filesize
5.7MB

Download
memory/912-62-0x0000000074520000-0x0000000074ACB000-memory.dmp

Filesize
5.7MB

Download
memory/2012-54-0x00000000002C0000-0x0000000000322000-memory.dmp

Filesize
392KB

Download
memory/2012-55-0x000007FEFB9F1000-0x000007FEFB9F3000-memory.dmp

Filesize
8KB

Download