75f3442c06118878ae8e96715f191863fc327a0f42be996ad7554fe48be39575

Analysis

max time kernel
119s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2023, 12:52

Target

75f3442c06118878ae8e96715f191863fc327a0f42be996ad7554fe48be39575.exe
Size

14KB
MD5

c47e82f4d66cca186744c474485d8ffe
SHA1

98943c9779d6258ea68fcfe72259b72a853fc385
SHA256

75f3442c06118878ae8e96715f191863fc327a0f42be996ad7554fe48be39575
SHA512

f6edc3d0e31135aa00a22f0db55b40971ec41a68dd9dcabb700421907c5c26e96abe62445cde2724c622ad30bf18addd5b954bc4c9cd134143dd55c08b240206
SSDEEP

192:zOSQ95Iurheh0sLcAY7qjuoBCgP3Q5tfwcANffmPD:zlQ95IutanYAgqHfP3L9GD

Score

1^/10

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2248	OpenWith.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4228 wrote to memory of 3924	4228	75f3442c06118878ae8e96715f191863fc327a0f42be996ad7554fe48be39575.exe	85
PID 4228 wrote to memory of 3924	4228	75f3442c06118878ae8e96715f191863fc327a0f42be996ad7554fe48be39575.exe	85
PID 3924 wrote to memory of 2204	3924	cmd.exe	86
PID 3924 wrote to memory of 2204	3924	cmd.exe	86
PID 3924 wrote to memory of 3556	3924	cmd.exe	87
PID 3924 wrote to memory of 3556	3924	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\75f3442c06118878ae8e96715f191863fc327a0f42be996ad7554fe48be39575.exe
"C:\Users\Admin\AppData\Local\Temp\75f3442c06118878ae8e96715f191863fc327a0f42be996ad7554fe48be39575.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c echo 73746172742063616C632E657865 > 1.txt && certutil -decodehex 1.txt fi.bat && fi.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3924
- - C:\Windows\system32\certutil.exe
    certutil -decodehex 1.txt fi.bat
    3⤵
    PID:2204
- - C:\Windows\system32\calc.exe
    calc.exe
    3⤵
    - Modifies registry class
    PID:3556

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2248

C:\Users\Admin\AppData\Local\Temp\1.txt

Filesize
32B

MD5
48a4151336002ddd524facc07cb44bfd

SHA1
e53362bae6ee1f87255ffcd178cadc85155b14ea

SHA256
eeef85989ea117c38b3cca39a6700af6e99c24fad31ed95245ad2a2b18bf4dd4

SHA512
c3b42015664722b7c75e7cfcbe3c4c368a23d6152ae5eedd2502c6d2873a117d2283b508d95fae34fbfdd9bbcf3ff0c81127635ab7bf82ef25c76aa5f3eec306

Download Submit
C:\Users\Admin\AppData\Local\Temp\fi.bat

Filesize
14B

MD5
f107dfd43fe353c31476941723bd19e2

SHA1
48cb709699652ff5e8a5c1f4e7756fa9c76aba43

SHA256
bd49877b5fc35864a9e9ddf6937779458bb834f6be4d129cd7f35b666b6420f2

SHA512
8611aec51f10be2c2bcf885e9e25ed4ea4801046c3f59da0ee3845f0a888b6ae223513180328982c5d3cde1448c9e702975d9b7f372f4a7fe1d450a76f83bba4

Download Submit
memory/4228-0-0x000002220C0E0000-0x000002220C0E1000-memory.dmp

Filesize
4KB

Download