cb5f4499c566573389799c5ac40d6860587a08d156a0d3c8c9d1211b45513684

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 19:45

Target

0e91a66a68f344c64d68f338c707ec50.exe
Size

17KB
MD5

0e91a66a68f344c64d68f338c707ec50
SHA1

6b0b9c1709465a3af472f0bfb78e26039c9260fb
SHA256

cb5f4499c566573389799c5ac40d6860587a08d156a0d3c8c9d1211b45513684
SHA512

8239460275a4170fe88e03f32b7dbdf9f4fcabf141bff36355551275e7945e33c64e5fb260e93138aa8b91169947a97fcec364252e7a3e2835094173a31053a2
SSDEEP

384:N2fWiEb+rHymMRC8XJm5guBOFXs1fd7edW23KXOAMTEr:AWiSKrE2iu8FX0KWDO/Ar

Score

7^/10

Loads dropped DLL 1 IoCs

pid	Process
3504	0e91a66a68f344c64d68f338c707ec50.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\gdzhtui32.cfg	0e91a66a68f344c64d68f338c707ec50.exe
File opened for modification	C:\Windows\SysWOW64\gdzhtui32.dll	0e91a66a68f344c64d68f338c707ec50.exe
File created	C:\Windows\SysWOW64\gdzhtui32.dll	0e91a66a68f344c64d68f338c707ec50.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3504	0e91a66a68f344c64d68f338c707ec50.exe
3504	0e91a66a68f344c64d68f338c707ec50.exe

Suspicious behavior: LoadsDriver 64 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 4304	3504	0e91a66a68f344c64d68f338c707ec50.exe	45
PID 3504 wrote to memory of 4304	3504	0e91a66a68f344c64d68f338c707ec50.exe	45
PID 3504 wrote to memory of 4304	3504	0e91a66a68f344c64d68f338c707ec50.exe	45

C:\Users\Admin\AppData\Local\Temp\0e91a66a68f344c64d68f338c707ec50.exe
"C:\Users\Admin\AppData\Local\Temp\0e91a66a68f344c64d68f338c707ec50.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\0e91a66a68f344c64d68f338c707ec50.exe"
  2⤵
  PID:4304

C:\Users\Admin\AppData\Local\Temp\tmp4AC9.tmp

Filesize
3KB

MD5
8e8b8eef018b9251f88c59c604091ff8

SHA1
d53a342b5af75199198ed4b25f082c2f6d7bc3cf

SHA256
7138117b3d79799f8b7348460a818690d545092debc63fdb74e8633c16e07861

SHA512
d81e3baa23dc4485afbe16c6bb42a3f3d1f6dbf97ebfbff940a8db1a3ab42b00dda895335aeef3b2ad333b04e0da6e3f6acf742f5c9902672f7e9a22473aaa5c

Download Submit
C:\Windows\SysWOW64\gdzhtui32.dll

Filesize
3KB

MD5
a29db467e2b8dd3648a77d544291867d

SHA1
ffa5f5ebfbd460a5cb14bc768db85f3d2e78e04e

SHA256
8ea22516d980d6b9b5016ede605221481fd934727507b874ffb23af5260c24ec

SHA512
2daa411467006ae55049e6f8866bbb9a5e33ca62df8e32da69b98bde2f9ae4264e05a55b574cde6039a452add4445e9488c2a30268930e4452e5cef06e169d94

Download Submit
C:\name.log

Filesize
58B

MD5
5602febf87bd4c535da2d4e90f56e52b

SHA1
e563ac3a277e614480525dc60061a06afe1a0419

SHA256
569f5ce34e8e491d1b425b57cc90c1463d72eb531983727557802b17c148486b

SHA512
b0e8186706e004b800f3e554171c2a3d8c7391b5d0ba8694380fdfdd12fb09330033a1af29bdc8898a09fabad611aaa98e3deb51d2e4d6e1e0d524b673eddb0f

Download Submit
memory/3504-4-0x0000000025000000-0x000000002501C000-memory.dmp

Filesize
112KB

Download
memory/3504-1377-0x0000000025000000-0x000000002501C000-memory.dmp

Filesize
112KB

Download