5f64190eb10b2cbba325b88f6f2e1a93c872383a6e62fed6a46842ed25b4489a

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
22/12/2022, 17:06

Target

_Silent Install.cmd
Size

1KB
MD5

b144f4c817cf6a66b2e468b1379dc669
SHA1

adfe8b7d329561bfbeb14dff6a281b46a7da1eb3
SHA256

ce86cd60690255a5a5e7375a7ba779bccbf26591f5948d3ca246d1fc599dcb41
SHA512

39e03d822f915ef9c4f6a9cd1ee9e593ada79060cbaae1d4f06ee48c7aef2e9c3ce5043e1966a390e777b319696a2c5bfe49882fbf0023b8053fd45b1d693fea

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
1936	StartBack AiO 1.0.65.1.tmp

Loads dropped DLL 1 IoCs

pid	Process
1116	StartBack AiO 1.0.65.1.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1116	StartBack AiO 1.0.65.1.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 1116	1340	cmd.exe	28
PID 1340 wrote to memory of 1116	1340	cmd.exe	28
PID 1340 wrote to memory of 1116	1340	cmd.exe	28
PID 1340 wrote to memory of 1116	1340	cmd.exe	28
PID 1340 wrote to memory of 1116	1340	cmd.exe	28
PID 1340 wrote to memory of 1116	1340	cmd.exe	28
PID 1340 wrote to memory of 1116	1340	cmd.exe	28
PID 1116 wrote to memory of 1936	1116	StartBack AiO 1.0.65.1.exe	29
PID 1116 wrote to memory of 1936	1116	StartBack AiO 1.0.65.1.exe	29
PID 1116 wrote to memory of 1936	1116	StartBack AiO 1.0.65.1.exe	29
PID 1116 wrote to memory of 1936	1116	StartBack AiO 1.0.65.1.exe	29
PID 1116 wrote to memory of 1936	1116	StartBack AiO 1.0.65.1.exe	29
PID 1116 wrote to memory of 1936	1116	StartBack AiO 1.0.65.1.exe	29
PID 1116 wrote to memory of 1936	1116	StartBack AiO 1.0.65.1.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\_Silent Install.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Users\Admin\AppData\Local\Temp\StartBack AiO 1.0.65.1.exe
  "StartBack AiO 1.0.65.1.exe" /SILENT
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Users\Admin\AppData\Local\Temp\is-04UDV.tmp\StartBack AiO 1.0.65.1.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-04UDV.tmp\StartBack AiO 1.0.65.1.tmp" /SL5="$E0152,5455581,64512,C:\Users\Admin\AppData\Local\Temp\StartBack AiO 1.0.65.1.exe" /SILENT
    3⤵
    - Executes dropped EXE
    PID:1936

C:\Users\Admin\AppData\Local\Temp\is-04UDV.tmp\StartBack AiO 1.0.65.1.tmp

Filesize
911KB

MD5
2bbecb156b7d6f099cfa2361f481d8a2

SHA1
57bfd64b9ddf14015f667eed91c1eb472c3b1b3a

SHA256
b1c19d727278d178a28016ff6a5816c87ef7066f81111a0af74a35d854c05246

SHA512
a70f006fd333552794562dfea282a0622fb35d41e1d7aa9c93014d6a649ca59982303ecbc4cdd9678cbb4a1862b05fd28389813d0e1252d44469223f55414e71

Download Submit
\Users\Admin\AppData\Local\Temp\is-04UDV.tmp\StartBack AiO 1.0.65.1.tmp

Filesize
911KB

MD5
2bbecb156b7d6f099cfa2361f481d8a2

SHA1
57bfd64b9ddf14015f667eed91c1eb472c3b1b3a

SHA256
b1c19d727278d178a28016ff6a5816c87ef7066f81111a0af74a35d854c05246

SHA512
a70f006fd333552794562dfea282a0622fb35d41e1d7aa9c93014d6a649ca59982303ecbc4cdd9678cbb4a1862b05fd28389813d0e1252d44469223f55414e71

Download Submit
memory/1116-55-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download
memory/1116-56-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1116-62-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1116-63-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download