a359cc3afe203ca5927a118b8c89166c639b7ad1d80308d8f4abd4e7f85fb625

Analysis

max time kernel
119s
max time network
148s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
11-11-2023 07:51

Target

loader.exe
Size

449KB
MD5

8e7b05b2619264cb09cdf0facea25fa8
SHA1

2303f4230cf473d262c9eb07024a0831470fcdc4
SHA256

a359cc3afe203ca5927a118b8c89166c639b7ad1d80308d8f4abd4e7f85fb625
SHA512

b287909d8da997efcf7eeabe0d416999549852cf28e3c8434f845e7d47e6ed7b4d44e674ed49cfd4b982826df5882307c8f4b33c7b260fdda7dd37c602f04aca
SSDEEP

12288:V40xCD/hKMldZaXF5oVGamXx7pOUr9q/dtr5RyIp:60wtKMldZCF5A1+9q1trHp

Score

5^/10

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2176	loader.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2176	loader.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2788	2176	loader.exe	28
PID 2176 wrote to memory of 2788	2176	loader.exe	28
PID 2176 wrote to memory of 2788	2176	loader.exe	28
PID 2176 wrote to memory of 2808	2176	loader.exe	29
PID 2176 wrote to memory of 2808	2176	loader.exe	29
PID 2176 wrote to memory of 2808	2176	loader.exe	29
PID 2808 wrote to memory of 2844	2808	cmd.exe	30
PID 2808 wrote to memory of 2844	2808	cmd.exe	30
PID 2808 wrote to memory of 2844	2808	cmd.exe	30
PID 2808 wrote to memory of 2952	2808	cmd.exe	31
PID 2808 wrote to memory of 2952	2808	cmd.exe	31
PID 2808 wrote to memory of 2952	2808	cmd.exe	31
PID 2808 wrote to memory of 2736	2808	cmd.exe	32
PID 2808 wrote to memory of 2736	2808	cmd.exe	32
PID 2808 wrote to memory of 2736	2808	cmd.exe	32
PID 2176 wrote to memory of 2700	2176	loader.exe	33
PID 2176 wrote to memory of 2700	2176	loader.exe	33
PID 2176 wrote to memory of 2700	2176	loader.exe	33

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 3
  2⤵
  PID:2788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\loader.exe" MD5
    3⤵
    PID:2844
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:2952
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:2736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2700

memory/2176-1-0x000000013F240000-0x000000013F341000-memory.dmp

Filesize
1.0MB

Download
memory/2176-0-0x000000013F240000-0x000000013F341000-memory.dmp

Filesize
1.0MB

Download
memory/2176-3-0x000000013F240000-0x000000013F341000-memory.dmp

Filesize
1.0MB

Download
memory/2176-5-0x0000000001C20000-0x0000000001C66000-memory.dmp

Filesize
280KB

Download
memory/2176-4-0x000000013F240000-0x000000013F341000-memory.dmp

Filesize
1.0MB

Download
memory/2176-6-0x0000000001C20000-0x0000000001C66000-memory.dmp

Filesize
280KB

Download
memory/2176-10-0x000000013F240000-0x000000013F341000-memory.dmp

Filesize
1.0MB

Download
memory/2176-12-0x0000000001C20000-0x0000000001C66000-memory.dmp

Filesize
280KB

Download
memory/2176-15-0x000000013F240000-0x000000013F341000-memory.dmp

Filesize
1.0MB

Download