a2aa9478bc4bf90652f11fe5fedb2b55570c14e5a10ecb8163789082851478c3

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 03:58

Target

5254da63e4c4a55baa1fa54423e9ff6c.exe
Size

209KB
MD5

5254da63e4c4a55baa1fa54423e9ff6c
SHA1

2a1ad254c8f40de945bdc368e0638821c4a33d40
SHA256

a2aa9478bc4bf90652f11fe5fedb2b55570c14e5a10ecb8163789082851478c3
SHA512

1ed027b8976b85c546bfd6f7237b5844e6d87a29854605d5cae5fb75ee76f48ad7c44634b1227a4531f5e926ff1649fc06235b435a95410a7d2935185a0b9272
SSDEEP

6144:0li5UYi9tDh7ykp71zQsNjiwAB9EQcwyU6HXH:167yQ7LjDABOQcwvA

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
2396	u.dll
3008	u.dll

Loads dropped DLL 4 IoCs

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 1824	1752	5254da63e4c4a55baa1fa54423e9ff6c.exe	15
PID 1752 wrote to memory of 1824	1752	5254da63e4c4a55baa1fa54423e9ff6c.exe	15
PID 1752 wrote to memory of 1824	1752	5254da63e4c4a55baa1fa54423e9ff6c.exe	15
PID 1752 wrote to memory of 1824	1752	5254da63e4c4a55baa1fa54423e9ff6c.exe	15
PID 1824 wrote to memory of 2396	1824	cmd.exe	14
PID 1824 wrote to memory of 2396	1824	cmd.exe	14
PID 1824 wrote to memory of 2396	1824	cmd.exe	14
PID 1824 wrote to memory of 2396	1824	cmd.exe	14
PID 1824 wrote to memory of 3008	1824	cmd.exe	31
PID 1824 wrote to memory of 3008	1824	cmd.exe	31
PID 1824 wrote to memory of 3008	1824	cmd.exe	31
PID 1824 wrote to memory of 3008	1824	cmd.exe	31
PID 1824 wrote to memory of 2616	1824	cmd.exe	32
PID 1824 wrote to memory of 2616	1824	cmd.exe	32
PID 1824 wrote to memory of 2616	1824	cmd.exe	32
PID 1824 wrote to memory of 2616	1824	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\u.dll
u.dll -bat vir.bat -save 5254da63e4c4a55baa1fa54423e9ff6c.exe.com -include s.dll -overwrite -nodelete
1⤵
- Executes dropped EXE
PID:2396

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\1249.tmp\vir.bat""
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Users\Admin\AppData\Local\Temp\u.dll
  u.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\SysWOW64\calc.exe
  CALC.EXE
  2⤵
  PID:2616

C:\Users\Admin\AppData\Local\Temp\5254da63e4c4a55baa1fa54423e9ff6c.exe
"C:\Users\Admin\AppData\Local\Temp\5254da63e4c4a55baa1fa54423e9ff6c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\1249.tmp\vir.bat

Filesize
2KB

MD5
72d4cd68f3a94315e512b2aa41635d05

SHA1
53e78bf4a36526da7e520bfff5b7983a0a1b17d9

SHA256
a6e067f16610730b6846fbcf2e66091904222344b5219531a5116fd9f9131802

SHA512
49c1836cc2a80d1a1988bf9458479c363dafc7b94a0bab6f32bd3edd37fbd72515bc64798a5d11bcadc7e58b4e0162f442e5c3f863f69393fe626576b0406ba0

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
94KB

MD5
f2a03a6beb16bba96be9ab72a1526bdf

SHA1
01a64798a011ee623981a0de68c26899584dd3e6

SHA256
d46ee06d49c794f687ba714ac95a27ae032605657af12a2c7c6c113050da941d

SHA512
a30d13c2977519ae7698378577f3fa80efe0c8fca5d706e552249f5b828616767ab57babc054bd7aa8e086ab60974b88e7c9b087622e25a45faa62864855daa2

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
92KB

MD5
3ead3d1666a7ba5496ca7f0bdba490e6

SHA1
1c2707e1ed0b80eceb9e222e7c12e922e1ad1a13

SHA256
9c86a7b9cbd93a18253b5101b8a4272f9396e752177b5a49520384df06f18f5d

SHA512
147d684c5f73aa2aadc05c01c9aa31e887242edf53b97f151024ddf84384b2517dc6bd9a7bb52d9c607f47583b7b4868e809ad042e7f8e951e6a331004c62335

Download Submit
memory/1752-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1752-54-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download