e965eb7b272946b73270301c6759fac057bb0043f0c68de68e1c5bbcd62f8783

Analysis

max time kernel
39s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 03:17

Target

e965eb7b272946b73270301c6759fac057bb0043f0c68de68e1c5bbcd62f8783.exe
Size

116KB
MD5

ded439c034dced5e4b44f8060a845481
SHA1

3187605529a74ab20941ac5568ba6d693fef469c
SHA256

e965eb7b272946b73270301c6759fac057bb0043f0c68de68e1c5bbcd62f8783
SHA512

6b2808671d9c3bfa4501a11ec7416c3bd333c0d486804f0fe8831009b9adce4a45a8ef853028602d5bc42e566f86b2b0f036d09d610d40a325779f48af7e679c
SSDEEP

3072:10AP6JVposuZPL2Q4SfVv6TGeFR291+qGHjk56EXIEZS:1sJVposucQ4syTGeF8+qGq6cIE

Score

5^/10

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\amurpm.dll	e965eb7b272946b73270301c6759fac057bb0043f0c68de68e1c5bbcd62f8783.exe
File opened for modification	C:\Windows\SysWOW64\userinit.exe	e965eb7b272946b73270301c6759fac057bb0043f0c68de68e1c5bbcd62f8783.exe
File opened for modification	C:\Windows\SysWOW64\ntxeed.dll	e965eb7b272946b73270301c6759fac057bb0043f0c68de68e1c5bbcd62f8783.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1508 set thread context of 952	1508	e965eb7b272946b73270301c6759fac057bb0043f0c68de68e1c5bbcd62f8783.exe	28

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1508	e965eb7b272946b73270301c6759fac057bb0043f0c68de68e1c5bbcd62f8783.exe
1508	e965eb7b272946b73270301c6759fac057bb0043f0c68de68e1c5bbcd62f8783.exe
1508	e965eb7b272946b73270301c6759fac057bb0043f0c68de68e1c5bbcd62f8783.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1508	e965eb7b272946b73270301c6759fac057bb0043f0c68de68e1c5bbcd62f8783.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 952	1508	e965eb7b272946b73270301c6759fac057bb0043f0c68de68e1c5bbcd62f8783.exe	28
PID 1508 wrote to memory of 952	1508	e965eb7b272946b73270301c6759fac057bb0043f0c68de68e1c5bbcd62f8783.exe	28
PID 1508 wrote to memory of 952	1508	e965eb7b272946b73270301c6759fac057bb0043f0c68de68e1c5bbcd62f8783.exe	28
PID 1508 wrote to memory of 952	1508	e965eb7b272946b73270301c6759fac057bb0043f0c68de68e1c5bbcd62f8783.exe	28
PID 1508 wrote to memory of 952	1508	e965eb7b272946b73270301c6759fac057bb0043f0c68de68e1c5bbcd62f8783.exe	28
PID 1508 wrote to memory of 952	1508	e965eb7b272946b73270301c6759fac057bb0043f0c68de68e1c5bbcd62f8783.exe	28
PID 1508 wrote to memory of 952	1508	e965eb7b272946b73270301c6759fac057bb0043f0c68de68e1c5bbcd62f8783.exe	28
PID 1508 wrote to memory of 952	1508	e965eb7b272946b73270301c6759fac057bb0043f0c68de68e1c5bbcd62f8783.exe	28
PID 1508 wrote to memory of 952	1508	e965eb7b272946b73270301c6759fac057bb0043f0c68de68e1c5bbcd62f8783.exe	28
PID 1508 wrote to memory of 952	1508	e965eb7b272946b73270301c6759fac057bb0043f0c68de68e1c5bbcd62f8783.exe	28
PID 1508 wrote to memory of 952	1508	e965eb7b272946b73270301c6759fac057bb0043f0c68de68e1c5bbcd62f8783.exe	28

C:\Users\Admin\AppData\Local\Temp\e965eb7b272946b73270301c6759fac057bb0043f0c68de68e1c5bbcd62f8783.exe
"C:\Users\Admin\AppData\Local\Temp\e965eb7b272946b73270301c6759fac057bb0043f0c68de68e1c5bbcd62f8783.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe
  2⤵
  PID:952

memory/952-56-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/952-57-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/952-62-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/952-59-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1508-65-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download