768d5dd27cae8a6cad9c6681fcc144b05de5944d8203f9bb4c4754e81b0dbc9b

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 07:22

Target

5c3af53004a140e8975dc7334dae2152.exe
Size

27KB
MD5

5c3af53004a140e8975dc7334dae2152
SHA1

4ce16ae7864ba7be0bf5057ebacbf8b20855923d
SHA256

768d5dd27cae8a6cad9c6681fcc144b05de5944d8203f9bb4c4754e81b0dbc9b
SHA512

6afc329b3a95c920f2947f3197c69cb6fcf801bb7ff8fd7ffe7c33a2eb12e3ecb376271081137ebad177517c85db5e5b9b81f50f2e9e9b91794d266e30f14ac5
SSDEEP

384:ivbQLhZTMmrjxsdoioHZ0YHCbIkudxZqwZBrsCpQSVDPtXbKFkZ1NRqzXosCD3yg:jAk9sw1HYIkud7thpvZPtSK12YnD

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2824	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1896	NTdhcp.exe

Loads dropped DLL 2 IoCs

pid	Process
2956	5c3af53004a140e8975dc7334dae2152.exe
2956	5c3af53004a140e8975dc7334dae2152.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\NTdhcp.exe	NTdhcp.exe
File created	C:\Windows\SysWOW64\NTdhcp.exe	5c3af53004a140e8975dc7334dae2152.exe
File opened for modification	C:\Windows\SysWOW64\NTdhcp.exe	5c3af53004a140e8975dc7334dae2152.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Deleteme.bat	5c3af53004a140e8975dc7334dae2152.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 1896	2956	5c3af53004a140e8975dc7334dae2152.exe	28
PID 2956 wrote to memory of 1896	2956	5c3af53004a140e8975dc7334dae2152.exe	28
PID 2956 wrote to memory of 1896	2956	5c3af53004a140e8975dc7334dae2152.exe	28
PID 2956 wrote to memory of 1896	2956	5c3af53004a140e8975dc7334dae2152.exe	28
PID 2956 wrote to memory of 2824	2956	5c3af53004a140e8975dc7334dae2152.exe	29
PID 2956 wrote to memory of 2824	2956	5c3af53004a140e8975dc7334dae2152.exe	29
PID 2956 wrote to memory of 2824	2956	5c3af53004a140e8975dc7334dae2152.exe	29
PID 2956 wrote to memory of 2824	2956	5c3af53004a140e8975dc7334dae2152.exe	29

C:\Users\Admin\AppData\Local\Temp\5c3af53004a140e8975dc7334dae2152.exe
"C:\Users\Admin\AppData\Local\Temp\5c3af53004a140e8975dc7334dae2152.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\SysWOW64\NTdhcp.exe
  C:\Windows\system32\NTdhcp.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\Deleteme.bat
  2⤵
  - Deletes itself
  PID:2824

C:\Windows\Deleteme.bat

Filesize
184B

MD5
37745585099b94a72a5ca20a22350d0d

SHA1
52729eea0ae3588fbfefe228b76f00250d29207a

SHA256
d2622cbb56a49076c35bdab385de27a6bfad400503e65d21f80cd511c76f683c

SHA512
4802428d2056d5153386a656817ff906db48645df3690751749dd81f6dc06557f8a1dda9edbeb4e472c11013c25875720a6112e57ed7c9ffdcef24df21acfa85

Download Submit
\Windows\SysWOW64\NTdhcp.exe

Filesize
27KB

MD5
5c3af53004a140e8975dc7334dae2152

SHA1
4ce16ae7864ba7be0bf5057ebacbf8b20855923d

SHA256
768d5dd27cae8a6cad9c6681fcc144b05de5944d8203f9bb4c4754e81b0dbc9b

SHA512
6afc329b3a95c920f2947f3197c69cb6fcf801bb7ff8fd7ffe7c33a2eb12e3ecb376271081137ebad177517c85db5e5b9b81f50f2e9e9b91794d266e30f14ac5

Download Submit
memory/1896-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2956-18-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download