e72c1df8eca01a37dd8d5cbe035e090fcfcc62ef0411b720ca54c22289a8df18

Analysis

max time kernel
139s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230824-en
resource tags

arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2023, 18:13

Target

d727782bbee0d26da3506c6791687326_mafia_JC.exe
Size

444KB
MD5

d727782bbee0d26da3506c6791687326
SHA1

21f68a49e14bfaf3dc720e9f2924260d7945b2fd
SHA256

e72c1df8eca01a37dd8d5cbe035e090fcfcc62ef0411b720ca54c22289a8df18
SHA512

07504559ed3f316123f9a1758b2abd25b211a89183bc90f6bdc2c04689c3d746c86d41a3e81fad36db262ef413e97a22d1d0026d1b47e092fa073b3b1d5a361f
SSDEEP

12288:Nb4bZudi79LCrmmuPx5iGyPgUg8Hucm0eLewdtIA:Nb4bcdkLKmmuZ5iGBvOmF

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
3764	877.tmp

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{576F1891-FE6F-4607-9C91-4D3132B47006}.catalogItem	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 3764	1132	d727782bbee0d26da3506c6791687326_mafia_JC.exe	86
PID 1132 wrote to memory of 3764	1132	d727782bbee0d26da3506c6791687326_mafia_JC.exe	86
PID 1132 wrote to memory of 3764	1132	d727782bbee0d26da3506c6791687326_mafia_JC.exe	86

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:1136

C:\Users\Admin\AppData\Local\Temp\d727782bbee0d26da3506c6791687326_mafia_JC.exe
"C:\Users\Admin\AppData\Local\Temp\d727782bbee0d26da3506c6791687326_mafia_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Users\Admin\AppData\Local\Temp\877.tmp
  "C:\Users\Admin\AppData\Local\Temp\877.tmp" --helpC:\Users\Admin\AppData\Local\Temp\d727782bbee0d26da3506c6791687326_mafia_JC.exe ECEFD55703397A38A64039358036FDB58718FCA604380B2F906D08F60E56C649847A836C2747FAF9E466A807EEC9C3E7F4511FF1ABE25B287F590C9A669EC7E5
  2⤵
  - Executes dropped EXE
  PID:3764

C:\Users\Admin\AppData\Local\Temp\877.tmp

Filesize
444KB

MD5
8c9d2fd8dd4662602dc0cffb51f2fc3c

SHA1
e84b1dbaac9b313501d578c9205fadf7923358b9

SHA256
d3a9660f941cbe7bc08bbefb1dc6c4e06f9c037a045a3e4a0cc018bfff3aec87

SHA512
2b17fbd017c1aa3fc6850c610175e225ab54259529ffef22781bad0b7dcd3718bbfa80274a27ef32b2716aa333d30292f465c61b9aeb950c350597c26995c40b

Download Submit
C:\Users\Admin\AppData\Local\Temp\877.tmp

Filesize
444KB

MD5
8c9d2fd8dd4662602dc0cffb51f2fc3c

SHA1
e84b1dbaac9b313501d578c9205fadf7923358b9

SHA256
d3a9660f941cbe7bc08bbefb1dc6c4e06f9c037a045a3e4a0cc018bfff3aec87

SHA512
2b17fbd017c1aa3fc6850c610175e225ab54259529ffef22781bad0b7dcd3718bbfa80274a27ef32b2716aa333d30292f465c61b9aeb950c350597c26995c40b

Download Submit