205d620570a27233a1789876137895f8340d09f65fb5703fe1c28b2c63e8df45

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 13:12

Target

713b33f20851513c8f0cef8c36f29002.exe
Size

1.1MB
MD5

713b33f20851513c8f0cef8c36f29002
SHA1

3d2664523475145aac21686af9f035d853dfb500
SHA256

205d620570a27233a1789876137895f8340d09f65fb5703fe1c28b2c63e8df45
SHA512

4a913a76bf13d9f7422637b6fe7fb1c9c8a944ce1b2fa67b5f3c3f9d7980f455cc7574a20b0e0cdb7091f8577779bc7422dd28b89940758cef0b3aa7fc3dbb89
SSDEEP

24576:1xGK9Xonp3OJ/FrEzQxrks3LPtG+esqt9fWJ3Rn54:u0oOrEz8n3749fW3n

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
4184	713b33f20851513c8f0cef8c36f29002.tmp

Loads dropped DLL 1 IoCs

pid	Process
4184	713b33f20851513c8f0cef8c36f29002.tmp

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	12	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	14	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4184	713b33f20851513c8f0cef8c36f29002.tmp
4184	713b33f20851513c8f0cef8c36f29002.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 4184	1256	713b33f20851513c8f0cef8c36f29002.exe	17
PID 1256 wrote to memory of 4184	1256	713b33f20851513c8f0cef8c36f29002.exe	17
PID 1256 wrote to memory of 4184	1256	713b33f20851513c8f0cef8c36f29002.exe	17

C:\Users\Admin\AppData\Local\Temp\713b33f20851513c8f0cef8c36f29002.exe
"C:\Users\Admin\AppData\Local\Temp\713b33f20851513c8f0cef8c36f29002.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Users\Admin\AppData\Local\Temp\is-Q6600.tmp\713b33f20851513c8f0cef8c36f29002.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-Q6600.tmp\713b33f20851513c8f0cef8c36f29002.tmp" /SL5="$401F4,648832,313856,C:\Users\Admin\AppData\Local\Temp\713b33f20851513c8f0cef8c36f29002.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4184

memory/1256-0-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1256-2-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1256-29-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4184-7-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/4184-30-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/4184-33-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download