ae667b573e33370233cf6dc3e025bd857f1049d25991ec18b792f4056b7cfb16

Analysis

max time kernel
37s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 08:07

Target

ae667b573e33370233cf6dc3e025bd857f1049d25991ec18b792f4056b7cfb16.exe
Size

621KB
MD5

e6fe9949970f1603cea4d911ed453829
SHA1

e309db9446967478dbb6dcc1b6cb35eb3eb165f1
SHA256

ae667b573e33370233cf6dc3e025bd857f1049d25991ec18b792f4056b7cfb16
SHA512

89f4c0425fd13b65f88f277abdbc2f186ffc7db936fe5bf0433b442b9e5ed6561bc391b6cff80e0655e4c9512bf57d564e77a3a98d8095ff2c8be0f4e31464d8
SSDEEP

12288:BJ/WwN1qqTr0DsF/fMNTGe+SV7ysor8+BF3Z4mxxYbxf+1bQ8YD:FNwH97yv5QmXY1GQD

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
1696	svch0st.exe

Deletes itself 1 IoCs

pid	Process
1608	cmd.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\svch0st.exe	ae667b573e33370233cf6dc3e025bd857f1049d25991ec18b792f4056b7cfb16.exe
File created	C:\Program Files\svch0st.exe	ae667b573e33370233cf6dc3e025bd857f1049d25991ec18b792f4056b7cfb16.exe
File created	C:\Program Files\svch0st.dll	svch0st.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1228	ae667b573e33370233cf6dc3e025bd857f1049d25991ec18b792f4056b7cfb16.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 1608	1228	ae667b573e33370233cf6dc3e025bd857f1049d25991ec18b792f4056b7cfb16.exe	28
PID 1228 wrote to memory of 1608	1228	ae667b573e33370233cf6dc3e025bd857f1049d25991ec18b792f4056b7cfb16.exe	28
PID 1228 wrote to memory of 1608	1228	ae667b573e33370233cf6dc3e025bd857f1049d25991ec18b792f4056b7cfb16.exe	28
PID 1228 wrote to memory of 1608	1228	ae667b573e33370233cf6dc3e025bd857f1049d25991ec18b792f4056b7cfb16.exe	28

C:\Users\Admin\AppData\Local\Temp\ae667b573e33370233cf6dc3e025bd857f1049d25991ec18b792f4056b7cfb16.exe
"C:\Users\Admin\AppData\Local\Temp\ae667b573e33370233cf6dc3e025bd857f1049d25991ec18b792f4056b7cfb16.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\$$a5700$$.bat
  2⤵
  - Deletes itself
  PID:1608

C:\Program Files\svch0st.exe

Filesize
621KB

MD5
e6fe9949970f1603cea4d911ed453829

SHA1
e309db9446967478dbb6dcc1b6cb35eb3eb165f1

SHA256
ae667b573e33370233cf6dc3e025bd857f1049d25991ec18b792f4056b7cfb16

SHA512
89f4c0425fd13b65f88f277abdbc2f186ffc7db936fe5bf0433b442b9e5ed6561bc391b6cff80e0655e4c9512bf57d564e77a3a98d8095ff2c8be0f4e31464d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a5700$$.bat

Filesize
152B

MD5
3079c5ec8e733140c68eab2ba1a461ab

SHA1
88959f8e2be0fd20a1eae2bd3b1e7ea183a01d35

SHA256
8e7e7c4383c6bcd1a52c9b29fae89c6e4cde8b596f13f0f55cdcd0e072217bd8

SHA512
43e2aa2b110ad4c70e7babde34b1e97c2d016422b615110103e407cedc8afa5976c58232e77ce2f1fbdc98e9dcb511b9fb9d50ffe6aeb95bf5b3e33a27a8287d

Download Submit
memory/1228-54-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1228-55-0x0000000000560000-0x00000000005B4000-memory.dmp

Filesize
336KB

Download
memory/1228-58-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1696-60-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1696-61-0x0000000000350000-0x00000000003A4000-memory.dmp

Filesize
336KB

Download