ef5702e6485641a08b55cf132b46aae669405d801b3ecffd7796d4b274aed8ae

Analysis

max time kernel
55s
max time network
178s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 12:07

Target

ef5702e6485641a08b55cf132b46aae669405d801b3ecffd7796d4b274aed8ae.exe
Size

31KB
MD5

4f6aa0237b0f6afdcdbbb152b682f581
SHA1

48f82db348ccab01b35b4fccd1e4caea998e6d68
SHA256

ef5702e6485641a08b55cf132b46aae669405d801b3ecffd7796d4b274aed8ae
SHA512

1c966c5b0fe82727debd202e470d3f426f1b654bb08d3e8a0a977999ff73b74332e0cd74014a77cdb45774f0aca0cf22900631f3a2f98198a8e2d4e9d79e175a
SSDEEP

768:f6nn/dB6c7L5pFn3nvzMOoPgEPkYBv3fMO:f6nlBtJDvzsPgEPkYpUO

Score

7^/10

Deletes itself 1 IoCs

pid	Process
1952	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe:ext.exe	ef5702e6485641a08b55cf132b46aae669405d801b3ecffd7796d4b274aed8ae.exe
File created	C:\Windows\SysWOW64\fci.exe.exe:ext.exe	ef5702e6485641a08b55cf132b46aae669405d801b3ecffd7796d4b274aed8ae.exe
File opened for modification	C:\Windows\SysWOW64\fci.exe.exe:ext.exe	ef5702e6485641a08b55cf132b46aae669405d801b3ecffd7796d4b274aed8ae.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 304 set thread context of 316	304	ef5702e6485641a08b55cf132b46aae669405d801b3ecffd7796d4b274aed8ae.exe	27

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 304 wrote to memory of 316	304	ef5702e6485641a08b55cf132b46aae669405d801b3ecffd7796d4b274aed8ae.exe	27
PID 304 wrote to memory of 316	304	ef5702e6485641a08b55cf132b46aae669405d801b3ecffd7796d4b274aed8ae.exe	27
PID 304 wrote to memory of 316	304	ef5702e6485641a08b55cf132b46aae669405d801b3ecffd7796d4b274aed8ae.exe	27
PID 304 wrote to memory of 316	304	ef5702e6485641a08b55cf132b46aae669405d801b3ecffd7796d4b274aed8ae.exe	27
PID 304 wrote to memory of 316	304	ef5702e6485641a08b55cf132b46aae669405d801b3ecffd7796d4b274aed8ae.exe	27
PID 304 wrote to memory of 1952	304	ef5702e6485641a08b55cf132b46aae669405d801b3ecffd7796d4b274aed8ae.exe	28
PID 304 wrote to memory of 1952	304	ef5702e6485641a08b55cf132b46aae669405d801b3ecffd7796d4b274aed8ae.exe	28
PID 304 wrote to memory of 1952	304	ef5702e6485641a08b55cf132b46aae669405d801b3ecffd7796d4b274aed8ae.exe	28
PID 304 wrote to memory of 1952	304	ef5702e6485641a08b55cf132b46aae669405d801b3ecffd7796d4b274aed8ae.exe	28

C:\Users\Admin\AppData\Local\Temp\ef5702e6485641a08b55cf132b46aae669405d801b3ecffd7796d4b274aed8ae.exe
"C:\Users\Admin\AppData\Local\Temp\ef5702e6485641a08b55cf132b46aae669405d801b3ecffd7796d4b274aed8ae.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:304
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\3932163.bat
  2⤵
  - Deletes itself
  PID:1952

C:\Users\Admin\AppData\Local\Temp\3932163.bat

Filesize
299B

MD5
5b365f4c2b342af998385697db3c599e

SHA1
9331d00d285285a42d47799420aa9a75ee806d4d

SHA256
614cb4b2ffc21079f67dd804da677d31c0c922c5a2f13919fcb2e344e5f65111

SHA512
05ec450c0a1cb4de68f8c0a0fb01060f2ce46aaed391999990899b00cacee0276e4c85e691ce61e7821cd8a58c4706fb1b2591e5a4f28cd21b0a778aad91f27f

Download Submit
memory/304-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/304-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/316-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/316-60-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download