19363b70d7ccdbf10eb7633628f1e0d08fb0f85cff897fd758cf2b61c93abd81

Analysis

max time kernel
79s
max time network
141s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05-04-2023 19:52

Target

a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe
Size

13KB
MD5

489e088030eae6acf86c690cb42352b4
SHA1

943a6abb8d2ff25ae6b54c953b211879328a5123
SHA256

a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9
SHA512

78e7d85f57f0b85a71c617d4bea8783b433340a006756064181745a85b3de8d49f66ca3b460414406d1e83b525134aba0f6451c53b95f5ed482604c8395e6b99
SSDEEP

192:C2WjQTbZ1eBppvfj/j2+cPM3P+Q/tCvwSw3uM76V9bhHOkrUN9:C2jTbZ0pj/vcqP+ctCYSw3GV9bhrUN

Score

4^/10

Drops file in Windows directory 2 IoCs

Processes:

a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe

description	ioc	process
File created	C:\Windows\Tasks\wow64.job	a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe
File opened for modification	C:\Windows\Tasks\wow64.job	a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 432 wrote to memory of 1152	432	taskeng.exe	a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe
PID 432 wrote to memory of 1152	432	taskeng.exe	a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe
PID 432 wrote to memory of 1152	432	taskeng.exe	a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe
PID 432 wrote to memory of 1152	432	taskeng.exe	a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe

C:\Users\Admin\AppData\Local\Temp\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe
"C:\Users\Admin\AppData\Local\Temp\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe"
1⤵
- Drops file in Windows directory
PID:920

C:\Windows\system32\taskeng.exe
taskeng.exe {C2AE5A8C-5AA8-47E7-9C04-D4DB3F35E8BA} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:432

C:\Users\Admin\AppData\Local\Temp\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe
C:\Users\Admin\AppData\Local\Temp\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe start
2⤵
PID:1152