cb658531be479646bd7f7fb1a755c3e6abc62a234a43957038252cf5072ab505

Analysis

max time kernel
63s
max time network
29s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 12:04

Target

cb658531be479646bd7f7fb1a755c3e6abc62a234a43957038252cf5072ab505.exe
Size

32KB
MD5

469ccc5ae7025675800f2737ab1e6077
SHA1

136af2f77228891852c5e9f767c4d923678f2103
SHA256

cb658531be479646bd7f7fb1a755c3e6abc62a234a43957038252cf5072ab505
SHA512

96a81e20b03d755ab26e5bf18ca04c56d230159c46cd148a6e81230e72d7f79b55d360c0f9819a795d624a13715cbad3f6b7a366fe9fd26c6b5908a5be10d809
SSDEEP

192:yuDIkoD/3ldKr+RxdsBP3DAxAwCMrpY7e8LqPZo5LdCfq1Rn6O3E/Br46:yu0rBdPRxdsJAxAr6+e9Pfqbn1EBr46

Score

5^/10

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\LOWLEVEL.SCR	cb658531be479646bd7f7fb1a755c3e6abc62a234a43957038252cf5072ab505.exe
File opened for modification	C:\Windows\SysWOW64\LLFORMAT.BAT	cb658531be479646bd7f7fb1a755c3e6abc62a234a43957038252cf5072ab505.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1676	cb658531be479646bd7f7fb1a755c3e6abc62a234a43957038252cf5072ab505.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 668	1676	cb658531be479646bd7f7fb1a755c3e6abc62a234a43957038252cf5072ab505.exe	28
PID 1676 wrote to memory of 668	1676	cb658531be479646bd7f7fb1a755c3e6abc62a234a43957038252cf5072ab505.exe	28
PID 1676 wrote to memory of 668	1676	cb658531be479646bd7f7fb1a755c3e6abc62a234a43957038252cf5072ab505.exe	28
PID 1676 wrote to memory of 668	1676	cb658531be479646bd7f7fb1a755c3e6abc62a234a43957038252cf5072ab505.exe	28

C:\Users\Admin\AppData\Local\Temp\cb658531be479646bd7f7fb1a755c3e6abc62a234a43957038252cf5072ab505.exe
"C:\Users\Admin\AppData\Local\Temp\cb658531be479646bd7f7fb1a755c3e6abc62a234a43957038252cf5072ab505.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\System32\LLFORMAT.BAT
  2⤵
  PID:668

C:\Windows\SysWOW64\LLFORMAT.BAT

Filesize
22B

MD5
6246e960c4edaaa553a0c6b002edc02a

SHA1
d0032a1f3dddc6a8560fecb6fefc6ce5fe2fd766

SHA256
9335b950f25361be9372e0ed5bf3b8f9347dd6a74127524eeff0215af8f0db13

SHA512
7dcb2b98356064c73d72e9efe7ec7a4c1df043f9d695f14afbf4cde1ff82d2431e1b92909ccaffcd6825c23061ada90073f15018db5d7feb086566c284d6880e

Download Submit
memory/1676-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1676-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download