ddab2fe98b6d831ff7970cfd34a9791aa5ecf28756f836f32055894ab881791f

Analysis

max time kernel
117s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 16:48

Target

ddab2fe98b6d831ff7970cfd34a9791aa5ecf28756f836f32055894ab881791f.exe
Size

94KB
MD5

1651a4b94398baec98cde5bfe5e4d6b2
SHA1

27729660be6b1a8797823dca57116ffd7c789d9f
SHA256

ddab2fe98b6d831ff7970cfd34a9791aa5ecf28756f836f32055894ab881791f
SHA512

196cc06b2e01a09ae1f922e4087ac61c567c9609768a7f6141221b770c6029f77400746dac4dc56b52ab1ff17b08f507fd842aae4d666b7597a279cc9de15ae4
SSDEEP

1536:crFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prj2c3JIi:cFS4jHS8q/3nTzePCwNUh4E9jb6i

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
1380	fkwehexmbf

Loads dropped DLL 2 IoCs

pid	Process
1944	ddab2fe98b6d831ff7970cfd34a9791aa5ecf28756f836f32055894ab881791f.exe
1944	ddab2fe98b6d831ff7970cfd34a9791aa5ecf28756f836f32055894ab881791f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 1380	1944	ddab2fe98b6d831ff7970cfd34a9791aa5ecf28756f836f32055894ab881791f.exe	27
PID 1944 wrote to memory of 1380	1944	ddab2fe98b6d831ff7970cfd34a9791aa5ecf28756f836f32055894ab881791f.exe	27
PID 1944 wrote to memory of 1380	1944	ddab2fe98b6d831ff7970cfd34a9791aa5ecf28756f836f32055894ab881791f.exe	27
PID 1944 wrote to memory of 1380	1944	ddab2fe98b6d831ff7970cfd34a9791aa5ecf28756f836f32055894ab881791f.exe	27

C:\Users\Admin\AppData\Local\Temp\ddab2fe98b6d831ff7970cfd34a9791aa5ecf28756f836f32055894ab881791f.exe
"C:\Users\Admin\AppData\Local\Temp\ddab2fe98b6d831ff7970cfd34a9791aa5ecf28756f836f32055894ab881791f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944
- \??\c:\users\admin\appdata\local\fkwehexmbf
  "C:\Users\Admin\AppData\Local\Temp\ddab2fe98b6d831ff7970cfd34a9791aa5ecf28756f836f32055894ab881791f.exe" a -sc:\users\admin\appdata\local\temp\ddab2fe98b6d831ff7970cfd34a9791aa5ecf28756f836f32055894ab881791f.exe
  2⤵
  - Executes dropped EXE
  PID:1380

C:\Users\Admin\AppData\Local\fkwehexmbf

Filesize
19.2MB

MD5
ba361d1cbd5d8ea155a3a49a199d3ce1

SHA1
55071ed7c12270b77667639a976ee2ce8d199780

SHA256
ac96eb56cd027c39a9b90469d17d6f49eaaeff2e3ba01cf0c4cf6fa4d3bf03ef

SHA512
c5bab2b90f1184193ea55e6bb45318620f0d1b3e9e75136b80d66bd2e6736a2f18281a5275f1116a5b736354775582bfa252ba66b903d0fa65e9ae022f2adfca

Download Submit
\Users\Admin\AppData\Local\fkwehexmbf

Filesize
19.2MB

MD5
ba361d1cbd5d8ea155a3a49a199d3ce1

SHA1
55071ed7c12270b77667639a976ee2ce8d199780

SHA256
ac96eb56cd027c39a9b90469d17d6f49eaaeff2e3ba01cf0c4cf6fa4d3bf03ef

SHA512
c5bab2b90f1184193ea55e6bb45318620f0d1b3e9e75136b80d66bd2e6736a2f18281a5275f1116a5b736354775582bfa252ba66b903d0fa65e9ae022f2adfca

Download Submit
\Users\Admin\AppData\Local\fkwehexmbf

Filesize
19.2MB

MD5
ba361d1cbd5d8ea155a3a49a199d3ce1

SHA1
55071ed7c12270b77667639a976ee2ce8d199780

SHA256
ac96eb56cd027c39a9b90469d17d6f49eaaeff2e3ba01cf0c4cf6fa4d3bf03ef

SHA512
c5bab2b90f1184193ea55e6bb45318620f0d1b3e9e75136b80d66bd2e6736a2f18281a5275f1116a5b736354775582bfa252ba66b903d0fa65e9ae022f2adfca

Download Submit
memory/1380-60-0x0000000000400000-0x000000000044E1F8-memory.dmp

Filesize
312KB

Download
memory/1380-61-0x0000000000400000-0x000000000044E1F8-memory.dmp

Filesize
312KB

Download
memory/1944-54-0x0000000000400000-0x000000000044E1F8-memory.dmp

Filesize
312KB

Download
memory/1944-55-0x0000000000400000-0x000000000044E1F8-memory.dmp

Filesize
312KB

Download