dfefc21349b3e3e00751a39857f9dc7c3831f6a17e7880c41d5c68f1614673a3

Analysis

max time kernel
177s
max time network
187s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 06:58

Target

dfefc21349b3e3e00751a39857f9dc7c3831f6a17e7880c41d5c68f1614673a3.exe
Size

2.2MB
MD5

acf5f84bef5a19b428e14394c4cb813a
SHA1

c6809d2ea06263104d05fa21414343020794f509
SHA256

dfefc21349b3e3e00751a39857f9dc7c3831f6a17e7880c41d5c68f1614673a3
SHA512

73b638e30773fb60d0a4a8b06827f773c3e97289f6ed280bc332c288f41f9583df077620f0ab9585a87defbeb6be1f5e4f45583dab66be16a070d1d6773208fb
SSDEEP

24576:mRYsKMIZpeBAQMt933T0vOYdeBmyMhBMAcWBs1CEbAJFiJsrLPcwtOAPtinu7vgE:pvVL5QTNkgwqvVnETVYp

Score

8^/10

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\suchost.exe	dfefc21349b3e3e00751a39857f9dc7c3831f6a17e7880c41d5c68f1614673a3.exe
File created	C:\Windows\SysWOW64\drivers\suchost.exe	dfefc21349b3e3e00751a39857f9dc7c3831f6a17e7880c41d5c68f1614673a3.exe

Executes dropped EXE 1 IoCs

pid	Process
1452	suchost.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 2512	3880	dfefc21349b3e3e00751a39857f9dc7c3831f6a17e7880c41d5c68f1614673a3.exe	80
PID 3880 wrote to memory of 2512	3880	dfefc21349b3e3e00751a39857f9dc7c3831f6a17e7880c41d5c68f1614673a3.exe	80
PID 3880 wrote to memory of 2512	3880	dfefc21349b3e3e00751a39857f9dc7c3831f6a17e7880c41d5c68f1614673a3.exe	80
PID 3880 wrote to memory of 1452	3880	dfefc21349b3e3e00751a39857f9dc7c3831f6a17e7880c41d5c68f1614673a3.exe	82
PID 3880 wrote to memory of 1452	3880	dfefc21349b3e3e00751a39857f9dc7c3831f6a17e7880c41d5c68f1614673a3.exe	82
PID 3880 wrote to memory of 1452	3880	dfefc21349b3e3e00751a39857f9dc7c3831f6a17e7880c41d5c68f1614673a3.exe	82

C:\Users\Admin\AppData\Local\Temp\dfefc21349b3e3e00751a39857f9dc7c3831f6a17e7880c41d5c68f1614673a3.exe
"C:\Users\Admin\AppData\Local\Temp\dfefc21349b3e3e00751a39857f9dc7c3831f6a17e7880c41d5c68f1614673a3.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\30$$.bat
  2⤵
  PID:2512
- C:\Windows\SysWOW64\drivers\suchost.exe
  C:\Windows\system32\drivers\suchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1452

C:\Users\Admin\AppData\Local\Temp\30$$.bat

Filesize
677B

MD5
5a4c85905d40178b4cd879e61771051b

SHA1
a29ca1ce69e077ea095686abb2273144c3406d81

SHA256
946a06e5a6d5a18134fb9eb85cdf899772c455fbaf11267cc4f17b2cd67909e9

SHA512
c3730af71f7af53fef8cf2ca28f3928590de6466293dfdae5b5c91a08f5682a325d072a07136863cdff39064c816fb0c424a43c7d99dbca8c7c31b60df1df96f

Download Submit
C:\Windows\SysWOW64\drivers\suchost.exe

Filesize
209KB

MD5
23fb3e17eb83d00c6dd806ee7341fcc8

SHA1
4df23ac55c064c04b9f5dad87b92bfe3d5686afc

SHA256
949f5489f9ee0d06cb743404ccebe609064bc6867a314528c2868620f6ea0a12

SHA512
a504cf1c0546af52ce5ca6040230ea48bf181f68e572cf8e66cdec5186aa55d8a650d7a6275311e0dd9e9c4a98cf485afd21b22cf69286e5fd1576fb4250f2d3

Download Submit
C:\Windows\SysWOW64\drivers\suchost.exe

Filesize
209KB

MD5
23fb3e17eb83d00c6dd806ee7341fcc8

SHA1
4df23ac55c064c04b9f5dad87b92bfe3d5686afc

SHA256
949f5489f9ee0d06cb743404ccebe609064bc6867a314528c2868620f6ea0a12

SHA512
a504cf1c0546af52ce5ca6040230ea48bf181f68e572cf8e66cdec5186aa55d8a650d7a6275311e0dd9e9c4a98cf485afd21b22cf69286e5fd1576fb4250f2d3

Download Submit