bfd4c4ceff847ae4b669274b6f7c5ffec5f62177f9f02b1624606b1d75255c48

Analysis

max time kernel
38s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 23:16

Target

bfd4c4ceff847ae4b669274b6f7c5ffec5f62177f9f02b1624606b1d75255c48.exe
Size

68KB
MD5

43acc1a4dbcb73e2e1b5d53974f02032
SHA1

f549c5734f6c349355b3da2a4830bc98e6146260
SHA256

bfd4c4ceff847ae4b669274b6f7c5ffec5f62177f9f02b1624606b1d75255c48
SHA512

e9a896bd662ec6735e365c644e302fc337778600ec79915a1b1bd08546df53485392fa31ad9be3935b59acaeebfac7ba9ca7dc389525e44f37c445ff0646d6a0
SSDEEP

768:K8EyXFiQOgFpSafqnlZQBISf968C36JpW:K8fIWfKiISf96qpW

Score

7^/10

Deletes itself 1 IoCs

pid	Process
1944	cmd.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\del.bat	bfd4c4ceff847ae4b669274b6f7c5ffec5f62177f9f02b1624606b1d75255c48.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1944	1960	bfd4c4ceff847ae4b669274b6f7c5ffec5f62177f9f02b1624606b1d75255c48.exe	26
PID 1960 wrote to memory of 1944	1960	bfd4c4ceff847ae4b669274b6f7c5ffec5f62177f9f02b1624606b1d75255c48.exe	26
PID 1960 wrote to memory of 1944	1960	bfd4c4ceff847ae4b669274b6f7c5ffec5f62177f9f02b1624606b1d75255c48.exe	26
PID 1960 wrote to memory of 1944	1960	bfd4c4ceff847ae4b669274b6f7c5ffec5f62177f9f02b1624606b1d75255c48.exe	26
PID 1960 wrote to memory of 1944	1960	bfd4c4ceff847ae4b669274b6f7c5ffec5f62177f9f02b1624606b1d75255c48.exe	26
PID 1960 wrote to memory of 1944	1960	bfd4c4ceff847ae4b669274b6f7c5ffec5f62177f9f02b1624606b1d75255c48.exe	26
PID 1960 wrote to memory of 1944	1960	bfd4c4ceff847ae4b669274b6f7c5ffec5f62177f9f02b1624606b1d75255c48.exe	26

C:\Users\Admin\AppData\Local\Temp\bfd4c4ceff847ae4b669274b6f7c5ffec5f62177f9f02b1624606b1d75255c48.exe
"C:\Users\Admin\AppData\Local\Temp\bfd4c4ceff847ae4b669274b6f7c5ffec5f62177f9f02b1624606b1d75255c48.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\del.bat
  2⤵
  - Deletes itself
  PID:1944

C:\Windows\SysWOW64\del.bat

Filesize
284B

MD5
940727f5418c34ce5bb975ff2f647474

SHA1
87dc9ac0b14cd7381a501fe56a475daa4527dd6a

SHA256
b52ca856a23d27225230c16bf18f6fce2616c38d90fdeca23e277687a142f9da

SHA512
ff1e87470b23ccc5e827fbb1270b52e73529c3630e8af3d006320784fd70197090615a366caca6c7c1960b439ad064f6e05c4f6661172d09c0f1bf0570ce8a3a

Download Submit
memory/1960-54-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download