0484cfb664a50ded3995d8b238ab2e6270a0687a199b1b1cf4044ac21c86d459

Analysis

max time kernel
1563s
max time network
1566s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
17-08-2023 21:08

Target

setup.exe
Size

90KB
MD5

f0320cbabc449eb7dbef3b1dc5d22038
SHA1

a89eb6460594feb2a6721a26ad8302a9f6176d73
SHA256

0484cfb664a50ded3995d8b238ab2e6270a0687a199b1b1cf4044ac21c86d459
SHA512

677908d4dc804a0856c4af18d1f4063f9f49a81c459acfab01a549bcea11d67d39660000ac00e63609d6fc9fbd7df2e986b508743367348629a8f0760802cfaf
SSDEEP

1536:v7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfCwdOz:D7DhdC6kzWypvaQ0FxyNTBfCD

Score

7^/10

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
612	timeout.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 1620	1276	setup.exe	29
PID 1276 wrote to memory of 1620	1276	setup.exe	29
PID 1276 wrote to memory of 1620	1276	setup.exe	29
PID 1276 wrote to memory of 1620	1276	setup.exe	29
PID 1620 wrote to memory of 612	1620	cmd.exe	30
PID 1620 wrote to memory of 612	1620	cmd.exe	30
PID 1620 wrote to memory of 612	1620	cmd.exe	30
PID 1620 wrote to memory of 2480	1620	cmd.exe	31
PID 1620 wrote to memory of 2480	1620	cmd.exe	31
PID 1620 wrote to memory of 2480	1620	cmd.exe	31
PID 2480 wrote to memory of 1624	2480	cmd.exe	32
PID 2480 wrote to memory of 1624	2480	cmd.exe	32
PID 2480 wrote to memory of 1624	2480	cmd.exe	32
PID 2480 wrote to memory of 2968	2480	cmd.exe	33
PID 2480 wrote to memory of 2968	2480	cmd.exe	33
PID 2480 wrote to memory of 2968	2480	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6864.tmp\6865.tmp\6866.bat C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\system32\timeout.exe
    Timeout /t 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com 2>NUL|find "Address:"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Windows\system32\nslookup.exe
      nslookup myip.opendns.com. resolver1.opendns.com
      4⤵
      PID:1624
  - - C:\Windows\system32\find.exe
      find "Address:"
      4⤵
      PID:2968

C:\Users\Admin\AppData\Local\Temp\6864.tmp\6865.tmp\6866.bat

Filesize
908B

MD5
03725acb44af5b566d7ac3cb106cdf71

SHA1
ed76e05c7d21feedf8f9e5f28c68ffb747afdc2f

SHA256
c730a618518ba1872434365b30e5d28326a43a935a95347d2b23eedcdb75545d

SHA512
1d0e4e2c50605a3c3f6d898b1333e2a6b2095de8f5a11d77cec477bb399bbea45d7655a87d35026a65d871b49cbda2ba6f22cfaffdf6a20d9fa7c0e95c40c0e1

Download Submit