a359cc3afe203ca5927a118b8c89166c639b7ad1d80308d8f4abd4e7f85fb625

Analysis

max time kernel
89s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2023 07:51

Target

loader.exe
Size

449KB
MD5

8e7b05b2619264cb09cdf0facea25fa8
SHA1

2303f4230cf473d262c9eb07024a0831470fcdc4
SHA256

a359cc3afe203ca5927a118b8c89166c639b7ad1d80308d8f4abd4e7f85fb625
SHA512

b287909d8da997efcf7eeabe0d416999549852cf28e3c8434f845e7d47e6ed7b4d44e674ed49cfd4b982826df5882307c8f4b33c7b260fdda7dd37c602f04aca
SSDEEP

12288:V40xCD/hKMldZaXF5oVGamXx7pOUr9q/dtr5RyIp:60wtKMldZCF5A1+9q1trHp

Score

5^/10

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2788	loader.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2788	loader.exe
2788	loader.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 1496	2788	loader.exe	91
PID 2788 wrote to memory of 1496	2788	loader.exe	91
PID 2788 wrote to memory of 3312	2788	loader.exe	92
PID 2788 wrote to memory of 3312	2788	loader.exe	92
PID 3312 wrote to memory of 4404	3312	cmd.exe	93
PID 3312 wrote to memory of 4404	3312	cmd.exe	93
PID 3312 wrote to memory of 3168	3312	cmd.exe	94
PID 3312 wrote to memory of 3168	3312	cmd.exe	94
PID 3312 wrote to memory of 4144	3312	cmd.exe	95
PID 3312 wrote to memory of 4144	3312	cmd.exe	95
PID 2788 wrote to memory of 2492	2788	loader.exe	96
PID 2788 wrote to memory of 2492	2788	loader.exe	96

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 3
  2⤵
  PID:1496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3312
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\loader.exe" MD5
    3⤵
    PID:4404
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:3168
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:4144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2492

memory/2788-0-0x00007FF66DA60000-0x00007FF66DB61000-memory.dmp

Filesize
1.0MB

Download
memory/2788-1-0x00007FF66DA60000-0x00007FF66DB61000-memory.dmp

Filesize
1.0MB

Download
memory/2788-2-0x00007FF66DA60000-0x00007FF66DB61000-memory.dmp

Filesize
1.0MB

Download
memory/2788-4-0x0000013EF2E70000-0x0000013EF2EB6000-memory.dmp

Filesize
280KB

Download
memory/2788-3-0x00007FF66DA60000-0x00007FF66DB61000-memory.dmp

Filesize
1.0MB

Download
memory/2788-5-0x00007FF66DA60000-0x00007FF66DB61000-memory.dmp

Filesize
1.0MB

Download
memory/2788-6-0x0000013EF2E70000-0x0000013EF2EB6000-memory.dmp

Filesize
280KB

Download
memory/2788-10-0x00007FF66DA60000-0x00007FF66DB61000-memory.dmp

Filesize
1.0MB

Download
memory/2788-12-0x0000013EF2E70000-0x0000013EF2EB6000-memory.dmp

Filesize
280KB

Download
memory/2788-14-0x00007FF66DA60000-0x00007FF66DB61000-memory.dmp

Filesize
1.0MB

Download
memory/2788-15-0x00007FF66DA60000-0x00007FF66DB61000-memory.dmp

Filesize
1.0MB

Download