cb5f4499c566573389799c5ac40d6860587a08d156a0d3c8c9d1211b45513684

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 19:45

Target

0e91a66a68f344c64d68f338c707ec50.exe
Size

17KB
MD5

0e91a66a68f344c64d68f338c707ec50
SHA1

6b0b9c1709465a3af472f0bfb78e26039c9260fb
SHA256

cb5f4499c566573389799c5ac40d6860587a08d156a0d3c8c9d1211b45513684
SHA512

8239460275a4170fe88e03f32b7dbdf9f4fcabf141bff36355551275e7945e33c64e5fb260e93138aa8b91169947a97fcec364252e7a3e2835094173a31053a2
SSDEEP

384:N2fWiEb+rHymMRC8XJm5guBOFXs1fd7edW23KXOAMTEr:AWiSKrE2iu8FX0KWDO/Ar

Score

7^/10

Deletes itself 1 IoCs

pid	Process
1852	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2948	0e91a66a68f344c64d68f338c707ec50.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\gdzhtui32.cfg	0e91a66a68f344c64d68f338c707ec50.exe
File opened for modification	C:\Windows\SysWOW64\gdzhtui32.dll	0e91a66a68f344c64d68f338c707ec50.exe
File created	C:\Windows\SysWOW64\gdzhtui32.dll	0e91a66a68f344c64d68f338c707ec50.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2948	0e91a66a68f344c64d68f338c707ec50.exe

Suspicious behavior: LoadsDriver 64 IoCs

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 1852	2948	0e91a66a68f344c64d68f338c707ec50.exe	28
PID 2948 wrote to memory of 1852	2948	0e91a66a68f344c64d68f338c707ec50.exe	28
PID 2948 wrote to memory of 1852	2948	0e91a66a68f344c64d68f338c707ec50.exe	28
PID 2948 wrote to memory of 1852	2948	0e91a66a68f344c64d68f338c707ec50.exe	28

C:\Users\Admin\AppData\Local\Temp\0e91a66a68f344c64d68f338c707ec50.exe
"C:\Users\Admin\AppData\Local\Temp\0e91a66a68f344c64d68f338c707ec50.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\0e91a66a68f344c64d68f338c707ec50.exe"
  2⤵
  - Deletes itself
  PID:1852

C:\Users\Admin\AppData\Local\Temp\tmp5D0.tmp

Filesize
3KB

MD5
8e8b8eef018b9251f88c59c604091ff8

SHA1
d53a342b5af75199198ed4b25f082c2f6d7bc3cf

SHA256
7138117b3d79799f8b7348460a818690d545092debc63fdb74e8633c16e07861

SHA512
d81e3baa23dc4485afbe16c6bb42a3f3d1f6dbf97ebfbff940a8db1a3ab42b00dda895335aeef3b2ad333b04e0da6e3f6acf742f5c9902672f7e9a22473aaa5c

Download Submit
C:\name.log

Filesize
58B

MD5
5602febf87bd4c535da2d4e90f56e52b

SHA1
e563ac3a277e614480525dc60061a06afe1a0419

SHA256
569f5ce34e8e491d1b425b57cc90c1463d72eb531983727557802b17c148486b

SHA512
b0e8186706e004b800f3e554171c2a3d8c7391b5d0ba8694380fdfdd12fb09330033a1af29bdc8898a09fabad611aaa98e3deb51d2e4d6e1e0d524b673eddb0f

Download Submit
\Windows\SysWOW64\gdzhtui32.dll

Filesize
13KB

MD5
e7edd1d4f239f741b824eaf9510cee32

SHA1
73d247c3469841aeb73fc491844186b926ae4372

SHA256
66c42252ca390e7ebd8ff57d7ba409dacf4315b3da2c4eab25e51bd6a6ae3037

SHA512
65f3aa17cc4f11ee8555780bca5c0856a70716518eaa2ba255ea830c5a704d301a11554be06efd00456bd5611452d546f88dc175a23928e35e153d08ba036091

Download Submit
memory/2948-3-0x0000000025000000-0x000000002501C000-memory.dmp

Filesize
112KB

Download
memory/2948-283-0x0000000025000000-0x000000002501C000-memory.dmp

Filesize
112KB

Download