e4d6af95ec6534bf12a9c32517abc9d4e98aeed62cf28934de293dcbcca8c591

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 15:29

Target

79025f8ce6e83f1d74ccef3c1b3fc227.exe
Size

12KB
MD5

79025f8ce6e83f1d74ccef3c1b3fc227
SHA1

c35cc7cec2733ee39f3e5a265f97b56664e91b37
SHA256

e4d6af95ec6534bf12a9c32517abc9d4e98aeed62cf28934de293dcbcca8c591
SHA512

af89e4eb3dbf9a5da35a627335a28d48b5093810d1f39e1a648c3b0eab3b0ad296eac9eee6aa17ec999bb28c671b67c39fffdfb2780c8081c575ce360335a704
SSDEEP

384:jm9zDrAR4WWlro9ctdflCU52iGJwsAaO5zQ:jusrWlkyPfV5HG2s9O

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
448	svohost.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\DukeGame.dll	79025f8ce6e83f1d74ccef3c1b3fc227.exe
File created	C:\Program Files\svohost.exe	79025f8ce6e83f1d74ccef3c1b3fc227.exe
File opened for modification	C:\Program Files\svohost.exe	79025f8ce6e83f1d74ccef3c1b3fc227.exe
File opened for modification	C:\Program Files\DukeGame.dll	svohost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 448	2544	79025f8ce6e83f1d74ccef3c1b3fc227.exe	15
PID 2544 wrote to memory of 448	2544	79025f8ce6e83f1d74ccef3c1b3fc227.exe	15
PID 2544 wrote to memory of 448	2544	79025f8ce6e83f1d74ccef3c1b3fc227.exe	15
PID 2544 wrote to memory of 3680	2544	79025f8ce6e83f1d74ccef3c1b3fc227.exe	14
PID 2544 wrote to memory of 3680	2544	79025f8ce6e83f1d74ccef3c1b3fc227.exe	14
PID 2544 wrote to memory of 3680	2544	79025f8ce6e83f1d74ccef3c1b3fc227.exe	14

C:\Users\Admin\AppData\Local\Temp\79025f8ce6e83f1d74ccef3c1b3fc227.exe
"C:\Users\Admin\AppData\Local\Temp\79025f8ce6e83f1d74ccef3c1b3fc227.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c delself.bat
  2⤵
  PID:3680
- C:\Program Files\svohost.exe
  "C:\Program Files\svohost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:448

C:\Program Files\DukeGame.dll

Filesize
10KB

MD5
3aea6d8639e983d576ba8994fa0fac72

SHA1
ead9df0b4467eb257896d5119606d8c15377402e

SHA256
b14e5db5b92249653f77b012d192f0a9b38be32015644971c91599047dc90621

SHA512
440b2347c18f1431f68133014a0d26430b2e996f78d61e36e278a3fc7d9e413269b63401498520676f6f54f99a17d12fb09a793ae6b4ee00605d79991cb5b877

Download Submit
C:\Program Files\svohost.exe

Filesize
12KB

MD5
79025f8ce6e83f1d74ccef3c1b3fc227

SHA1
c35cc7cec2733ee39f3e5a265f97b56664e91b37

SHA256
e4d6af95ec6534bf12a9c32517abc9d4e98aeed62cf28934de293dcbcca8c591

SHA512
af89e4eb3dbf9a5da35a627335a28d48b5093810d1f39e1a648c3b0eab3b0ad296eac9eee6aa17ec999bb28c671b67c39fffdfb2780c8081c575ce360335a704

Download Submit
C:\Users\Admin\AppData\Local\Temp\delself.bat

Filesize
86B

MD5
d92f32ee92c06a3fdb4ed1dc326d87f1

SHA1
54998e02e38e0c6a35730753e8a56783a7bdd170

SHA256
8a8be4804fdd38bde3bfae055fe080e3924c480e39574f21021b04856ce9f6ed

SHA512
ef397b62086b080821e1d574bd6ba0cb6c554122217238d48ec64f8f78b88bd3a1e32ac14f6021dfa31632bdfe88ec8d3cd59a8e9abe1d05251b58b977472d62

Download Submit
memory/448-6-0x0000000000400000-0x0000000000410600-memory.dmp

Filesize
65KB

Download
memory/448-13-0x0000000000400000-0x0000000000410600-memory.dmp

Filesize
65KB

Download
memory/2544-0-0x0000000000400000-0x0000000000410600-memory.dmp

Filesize
65KB

Download
memory/2544-11-0x0000000000400000-0x0000000000410600-memory.dmp

Filesize
65KB

Download