037f6e5cf0e85d01b8efe5eff5e15b5b0c3d89c2ca055f477f3f2cd79754e8af

Analysis

max time kernel
42s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 01:07

Target

037f6e5cf0e85d01b8efe5eff5e15b5b0c3d89c2ca055f477f3f2cd79754e8af.exe
Size

2.5MB
MD5

6a525aaa87f71e9ef17cef62f469445a
SHA1

6ec113c2589e5e5e4707289aa0db9dde8470247a
SHA256

037f6e5cf0e85d01b8efe5eff5e15b5b0c3d89c2ca055f477f3f2cd79754e8af
SHA512

122c28dcb28f508a02c6abae0b30d5bb07defbbb8a7cc9e20d2597e3d3ac2a98b4d26e90e385c04987e7c41e94a901e73ae07f1eccbc9ad3df841bdd83bec539
SSDEEP

49152:ylY613+T8I5isO1wY2v5KYMTph5AkWe+Nttqlq03E+lVtH8IRu8VL:ylpX6Kv3T9+NulFplVt1nVL

Score

1^/10

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 1772	624	037f6e5cf0e85d01b8efe5eff5e15b5b0c3d89c2ca055f477f3f2cd79754e8af.exe	28
PID 624 wrote to memory of 1772	624	037f6e5cf0e85d01b8efe5eff5e15b5b0c3d89c2ca055f477f3f2cd79754e8af.exe	28
PID 624 wrote to memory of 1772	624	037f6e5cf0e85d01b8efe5eff5e15b5b0c3d89c2ca055f477f3f2cd79754e8af.exe	28
PID 624 wrote to memory of 1772	624	037f6e5cf0e85d01b8efe5eff5e15b5b0c3d89c2ca055f477f3f2cd79754e8af.exe	28
PID 624 wrote to memory of 1772	624	037f6e5cf0e85d01b8efe5eff5e15b5b0c3d89c2ca055f477f3f2cd79754e8af.exe	28
PID 624 wrote to memory of 1772	624	037f6e5cf0e85d01b8efe5eff5e15b5b0c3d89c2ca055f477f3f2cd79754e8af.exe	28
PID 624 wrote to memory of 1772	624	037f6e5cf0e85d01b8efe5eff5e15b5b0c3d89c2ca055f477f3f2cd79754e8af.exe	28
PID 1772 wrote to memory of 1128	1772	Net.exe	30
PID 1772 wrote to memory of 1128	1772	Net.exe	30
PID 1772 wrote to memory of 1128	1772	Net.exe	30
PID 1772 wrote to memory of 1128	1772	Net.exe	30
PID 1772 wrote to memory of 1128	1772	Net.exe	30
PID 1772 wrote to memory of 1128	1772	Net.exe	30
PID 1772 wrote to memory of 1128	1772	Net.exe	30

C:\Users\Admin\AppData\Local\Temp\037f6e5cf0e85d01b8efe5eff5e15b5b0c3d89c2ca055f477f3f2cd79754e8af.exe
"C:\Users\Admin\AppData\Local\Temp\037f6e5cf0e85d01b8efe5eff5e15b5b0c3d89c2ca055f477f3f2cd79754e8af.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:624
- C:\Windows\SysWOW64\Net.exe
  Net Stop PcaSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 Stop PcaSvc
    3⤵
    PID:1128

memory/624-54-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download