bce54b81b0e4a378412abffd397b102ece049026cca2311f7ec8e027fe6c3630

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 14:11

Target

NEAS.6db40f99274594c08c41e1ea6ffcf520.exe
Size

639KB
MD5

6db40f99274594c08c41e1ea6ffcf520
SHA1

d6453269a40dd47573cfe53f5a69797bb7e0e80f
SHA256

bce54b81b0e4a378412abffd397b102ece049026cca2311f7ec8e027fe6c3630
SHA512

dea9813e8e0f8741e8fdc785f843f70bb1eb497e249a3f6e254709d661d0e0c5857e6a7e44a8ce59deacf6fa14917710b6058a6204373af0698950908aad3d58
SSDEEP

12288:IjiMo7us39MQ4UWw4IS40caXN0rocw/s87TmOmwbfLk6v:IjiMkuEozwNTVocOn7TmOmcAS

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2452	zfnwmsrhz.exe

Loads dropped DLL 1 IoCs

pid	Process
2508	NEAS.6db40f99274594c08c41e1ea6ffcf520.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\pfgit\zfnwmsrhz.exe	NEAS.6db40f99274594c08c41e1ea6ffcf520.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2452	2508	NEAS.6db40f99274594c08c41e1ea6ffcf520.exe	28
PID 2508 wrote to memory of 2452	2508	NEAS.6db40f99274594c08c41e1ea6ffcf520.exe	28
PID 2508 wrote to memory of 2452	2508	NEAS.6db40f99274594c08c41e1ea6ffcf520.exe	28
PID 2508 wrote to memory of 2452	2508	NEAS.6db40f99274594c08c41e1ea6ffcf520.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.6db40f99274594c08c41e1ea6ffcf520.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.6db40f99274594c08c41e1ea6ffcf520.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Program Files (x86)\pfgit\zfnwmsrhz.exe
  "C:\Program Files (x86)\pfgit\zfnwmsrhz.exe"
  2⤵
  - Executes dropped EXE
  PID:2452

C:\Program Files (x86)\pfgit\zfnwmsrhz.exe

Filesize
650KB

MD5
e447114b1330c63370d8d15200d4555f

SHA1
d76bd2cca0935ded6be5bac4709e86a50237287a

SHA256
000a8714d4cd4044f0265196c79f9790eb18ea6f4035b6a88e97505ae60f9b5f

SHA512
3037d5c482a19895bb89df43abc2f9b480929ac78c3d8c2dda124c84ad9f69bcdce03de5a3784eae5fbb568ba6ad910d70a0aab297dfd4a6210593823ec5bf0f

Download Submit
\Program Files (x86)\pfgit\zfnwmsrhz.exe

Filesize
650KB

MD5
e447114b1330c63370d8d15200d4555f

SHA1
d76bd2cca0935ded6be5bac4709e86a50237287a

SHA256
000a8714d4cd4044f0265196c79f9790eb18ea6f4035b6a88e97505ae60f9b5f

SHA512
3037d5c482a19895bb89df43abc2f9b480929ac78c3d8c2dda124c84ad9f69bcdce03de5a3784eae5fbb568ba6ad910d70a0aab297dfd4a6210593823ec5bf0f

Download Submit
memory/2452-10-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2452-12-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2452-13-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2508-1-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2508-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2508-2-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2508-7-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2508-8-0x0000000001D90000-0x0000000001E26000-memory.dmp

Filesize
600KB

Download