bc855e627be593161e7ca6ca3f54bc134d557b5c328bfe2335464ea599f66c11

Analysis

max time kernel
55s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 18:37

Target

bc855e627be593161e7ca6ca3f54bc134d557b5c328bfe2335464ea599f66c11.exe
Size

41KB
MD5

cfd13395703a35b02be5b80edf1b8826
SHA1

ce0ecc59eb9b9aceaeff0ffe214a6ae32c91084b
SHA256

bc855e627be593161e7ca6ca3f54bc134d557b5c328bfe2335464ea599f66c11
SHA512

1cc182b6ea3e01b9bc7f3e0aae0703ce5da9ff8ebae84d980bc28200154f1fd5afc196f26ae8bc36585688ebf666079f77da8dbb9fdb80b68e50b8c0955f1511
SSDEEP

768:X5DZ2h94FnpQPn4NSmRFm3qtWiUCb+BHPSNJCTGriVVBonMcFqed6tIDsox:np64jg6tWiUCbnN1GzonMcFR66D

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
1032	WmInit.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WmInit.exe	bc855e627be593161e7ca6ca3f54bc134d557b5c328bfe2335464ea599f66c11.exe
File opened for modification	C:\Windows\SysWOW64\tmp	bc855e627be593161e7ca6ca3f54bc134d557b5c328bfe2335464ea599f66c11.exe
File created	C:\Windows\SysWOW64\tmp	bc855e627be593161e7ca6ca3f54bc134d557b5c328bfe2335464ea599f66c11.exe
File created	C:\Windows\SysWOW64\WmInit.dat	bc855e627be593161e7ca6ca3f54bc134d557b5c328bfe2335464ea599f66c11.exe
File opened for modification	C:\Windows\SysWOW64\WmInit.exe	bc855e627be593161e7ca6ca3f54bc134d557b5c328bfe2335464ea599f66c11.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 1032	2212	bc855e627be593161e7ca6ca3f54bc134d557b5c328bfe2335464ea599f66c11.exe	86
PID 2212 wrote to memory of 1032	2212	bc855e627be593161e7ca6ca3f54bc134d557b5c328bfe2335464ea599f66c11.exe	86
PID 2212 wrote to memory of 1032	2212	bc855e627be593161e7ca6ca3f54bc134d557b5c328bfe2335464ea599f66c11.exe	86

C:\Users\Admin\AppData\Local\Temp\bc855e627be593161e7ca6ca3f54bc134d557b5c328bfe2335464ea599f66c11.exe
"C:\Users\Admin\AppData\Local\Temp\bc855e627be593161e7ca6ca3f54bc134d557b5c328bfe2335464ea599f66c11.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\SysWOW64\WmInit.exe
  "C:\Windows\system32\WmInit.exe" "C:\Users\Admin\AppData\Local\Temp\bc855e627be593161e7ca6ca3f54bc134d557b5c328bfe2335464ea599f66c11.exe"
  2⤵
  - Executes dropped EXE
  PID:1032

C:\Windows\SysWOW64\WmInit.exe

Filesize
320KB

MD5
051031759e9717577ab272d0375eb413

SHA1
f73ed59dd6566bd56331a3c69f4b3e8fc3625967

SHA256
a4a0fcf54928b7ca9c3fcca1599ebfb7bec44362ad4e4efa4814214ab57328ea

SHA512
980c0d95baa96d75815e60af014566a63186a7d77a9ccc19a0eefa9509a189a76713c28146363f5617baf02bab9bca9caac9b47f7b238d894268c0e901d4a21e

Download Submit
memory/2212-132-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download
memory/2212-133-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download