00cff1006248e1b896752aac025608edc8f2defc08c0944461edbec1cdc4d8bf

Analysis

max time kernel
91s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2023, 04:19

Target

00cff1006248e1b896752aac025608edc8f2defc08c0944461edbec1cdc4d8bf.exe
Size

2.7MB
MD5

e85ed65f43267ccb2c2c40ae4273acba
SHA1

8db02113b03540f0a35723ee166e8525d6954338
SHA256

00cff1006248e1b896752aac025608edc8f2defc08c0944461edbec1cdc4d8bf
SHA512

842eb9812be7dbaf782a9bf6be9cf48fb09dc6e2b31a822c9deb9e56893cd64d1c9da949ac5e26d88ed5ac1f29279dbb716bce70fc574f0d7d16e667eeff7ea2
SSDEEP

49152:olPkFc5TciEdoGFgcC4053LWq2BrR28/zP9WUw+TBwGJl1DDpo3:oeFUR4qLWq2BtL/zPNw+TBj/p

Score

1^/10

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 5008	1632	00cff1006248e1b896752aac025608edc8f2defc08c0944461edbec1cdc4d8bf.exe	81
PID 1632 wrote to memory of 5008	1632	00cff1006248e1b896752aac025608edc8f2defc08c0944461edbec1cdc4d8bf.exe	81
PID 1632 wrote to memory of 5008	1632	00cff1006248e1b896752aac025608edc8f2defc08c0944461edbec1cdc4d8bf.exe	81
PID 5008 wrote to memory of 3764	5008	cmd.exe	82
PID 5008 wrote to memory of 3764	5008	cmd.exe	82
PID 5008 wrote to memory of 3764	5008	cmd.exe	82
PID 1632 wrote to memory of 4932	1632	00cff1006248e1b896752aac025608edc8f2defc08c0944461edbec1cdc4d8bf.exe	83
PID 1632 wrote to memory of 4932	1632	00cff1006248e1b896752aac025608edc8f2defc08c0944461edbec1cdc4d8bf.exe	83
PID 1632 wrote to memory of 4932	1632	00cff1006248e1b896752aac025608edc8f2defc08c0944461edbec1cdc4d8bf.exe	83

C:\Users\Admin\AppData\Local\Temp\00cff1006248e1b896752aac025608edc8f2defc08c0944461edbec1cdc4d8bf.exe
"C:\Users\Admin\AppData\Local\Temp\00cff1006248e1b896752aac025608edc8f2defc08c0944461edbec1cdc4d8bf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c MODE CON COLS=215 LINES=22
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\SysWOW64\mode.com
    MODE CON COLS=215 LINES=22
    3⤵
    PID:3764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Color A
  2⤵
  PID:4932