a1d236b5300e0040f385bae1cf6915db717403b5742992ecdd7140890df09197

Analysis

max time kernel
24s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 20:21

Target

a1d236b5300e0040f385bae1cf6915db717403b5742992ecdd7140890df09197.exe
Size

18KB
MD5

277ad799c1b3bfe854c390e0cf6ad52d
SHA1

d7a707c7e276d35015ca5750d9e14602d19ddd2d
SHA256

a1d236b5300e0040f385bae1cf6915db717403b5742992ecdd7140890df09197
SHA512

adc2d9e1d72108b92a2bfabed3f1c9c47f6590a07bc1ab6c75f9de91c0d14750fd607a5a066451e55bfb97d28480186303f2b237e95ee80ee7785d11b977eef8
SSDEEP

384:J2VHYGIPEbUaAiLCxm44LO4FwdbovnndX/1xMirvcFOIOSz8XGL9y2:cyEtpLUmXO4mdb69/NYFOItz8XK9y

Score

7^/10

Deletes itself 1 IoCs

pid	Process
940	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1836	regsvr32.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Helper\findsiteonline.dll	a1d236b5300e0040f385bae1cf6915db717403b5742992ecdd7140890df09197.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 668 wrote to memory of 1836	668	a1d236b5300e0040f385bae1cf6915db717403b5742992ecdd7140890df09197.exe	28
PID 668 wrote to memory of 1836	668	a1d236b5300e0040f385bae1cf6915db717403b5742992ecdd7140890df09197.exe	28
PID 668 wrote to memory of 1836	668	a1d236b5300e0040f385bae1cf6915db717403b5742992ecdd7140890df09197.exe	28
PID 668 wrote to memory of 1836	668	a1d236b5300e0040f385bae1cf6915db717403b5742992ecdd7140890df09197.exe	28
PID 668 wrote to memory of 1836	668	a1d236b5300e0040f385bae1cf6915db717403b5742992ecdd7140890df09197.exe	28
PID 668 wrote to memory of 1836	668	a1d236b5300e0040f385bae1cf6915db717403b5742992ecdd7140890df09197.exe	28
PID 668 wrote to memory of 1836	668	a1d236b5300e0040f385bae1cf6915db717403b5742992ecdd7140890df09197.exe	28
PID 668 wrote to memory of 940	668	a1d236b5300e0040f385bae1cf6915db717403b5742992ecdd7140890df09197.exe	29
PID 668 wrote to memory of 940	668	a1d236b5300e0040f385bae1cf6915db717403b5742992ecdd7140890df09197.exe	29
PID 668 wrote to memory of 940	668	a1d236b5300e0040f385bae1cf6915db717403b5742992ecdd7140890df09197.exe	29
PID 668 wrote to memory of 940	668	a1d236b5300e0040f385bae1cf6915db717403b5742992ecdd7140890df09197.exe	29

C:\Users\Admin\AppData\Local\Temp\a1d236b5300e0040f385bae1cf6915db717403b5742992ecdd7140890df09197.exe
"C:\Users\Admin\AppData\Local\Temp\a1d236b5300e0040f385bae1cf6915db717403b5742992ecdd7140890df09197.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:668
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s "C:\Program Files (x86)\Helper\findsiteonline.dll"
  2⤵
  - Loads dropped DLL
  PID:1836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\tempdel.bat
  2⤵
  - Deletes itself
  PID:940

C:\Program Files (x86)\Helper\findsiteonline.dll

Filesize
15KB

MD5
36c81dfa646364217fcf1530e9529513

SHA1
1888bc4476b242c461fbe755f04c07c2b9f7671f

SHA256
b21e6e4f5b9c70bc63e3dacb6e08f785aeef675057691ad56a578f1cd7e0ede6

SHA512
fb075ee5c59ae903dfa65418bddcf80d1404b0c59977e32044e9e2fdaa78da49372e304b97eefcbe2ccf7dda4ea3af10589d3867189163d0f47adf3c8cc9b726

Download Submit
\??\c:\tempdel.bat

Filesize
268B

MD5
6aa5c83948c94ce949b7028b37fbdd76

SHA1
ad41eeb14c16792fb2ecf17d2986244118db1620

SHA256
e9dd2367cb1e55056de4fa4879a99d1467d4250b8127972af79cb31e02c05964

SHA512
efc417573cc0ac55e2ffc1416a4f15c35cf1dbc34f33dae80b873aa500e88f8502ffd3f9b065b1665a23c4b1af7478f7c52d367fce16b9b69055237a1e74200d

Download Submit
\Program Files (x86)\Helper\findsiteonline.dll

Filesize
15KB

MD5
36c81dfa646364217fcf1530e9529513

SHA1
1888bc4476b242c461fbe755f04c07c2b9f7671f

SHA256
b21e6e4f5b9c70bc63e3dacb6e08f785aeef675057691ad56a578f1cd7e0ede6

SHA512
fb075ee5c59ae903dfa65418bddcf80d1404b0c59977e32044e9e2fdaa78da49372e304b97eefcbe2ccf7dda4ea3af10589d3867189163d0f47adf3c8cc9b726

Download Submit
memory/668-59-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1836-55-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download