82e99e57eaa5671490f194f9a30d0a3f56b017443b231e55d95abacf2c04cc8d

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 22:54

Target

0637944677b7927cfb76b4e45a963829.exe
Size

372KB
MD5

0637944677b7927cfb76b4e45a963829
SHA1

6cbdecded3fb4bc3ddeb8cb0973a909c9dfe5cf2
SHA256

82e99e57eaa5671490f194f9a30d0a3f56b017443b231e55d95abacf2c04cc8d
SHA512

515cbae689dcdee88341197af92ce241a6cbdc4566a1411479562a93d9c9c3e0b40d91b060ea619472735a188c7e10effbd8b7aea752a93fa21d2fca66af8da4
SSDEEP

6144:TFbY+DogwsHWXj9ZOb4YNAWss6BaFQUAneLG7pfl11DoBx7sJS4uImEukb53oS:BAXnkcBTUUhpN3orsABNE7oS

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
3716	winlogono.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3716 set thread context of 3124	3716	winlogono.exe	93

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\winlogoni\winlogono.exe	0637944677b7927cfb76b4e45a963829.exe
File opened for modification	C:\Program Files (x86)\winlogoni\winlogono.exe	0637944677b7927cfb76b4e45a963829.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3124	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 2300	4880	0637944677b7927cfb76b4e45a963829.exe	94
PID 4880 wrote to memory of 2300	4880	0637944677b7927cfb76b4e45a963829.exe	94
PID 4880 wrote to memory of 2300	4880	0637944677b7927cfb76b4e45a963829.exe	94
PID 3716 wrote to memory of 3124	3716	winlogono.exe	93
PID 3716 wrote to memory of 3124	3716	winlogono.exe	93
PID 3716 wrote to memory of 3124	3716	winlogono.exe	93
PID 3716 wrote to memory of 3124	3716	winlogono.exe	93
PID 3716 wrote to memory of 3124	3716	winlogono.exe	93

C:\Users\Admin\AppData\Local\Temp\0637944677b7927cfb76b4e45a963829.exe
"C:\Users\Admin\AppData\Local\Temp\0637944677b7927cfb76b4e45a963829.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\CBWMJI.bat
  2⤵
  PID:2300

C:\Program Files (x86)\winlogoni\winlogono.exe
"C:\Program Files (x86)\winlogoni\winlogono.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" 34026
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:3124

C:\Program Files (x86)\winlogoni\winlogono.exe

Filesize
372KB

MD5
0637944677b7927cfb76b4e45a963829

SHA1
6cbdecded3fb4bc3ddeb8cb0973a909c9dfe5cf2

SHA256
82e99e57eaa5671490f194f9a30d0a3f56b017443b231e55d95abacf2c04cc8d

SHA512
515cbae689dcdee88341197af92ce241a6cbdc4566a1411479562a93d9c9c3e0b40d91b060ea619472735a188c7e10effbd8b7aea752a93fa21d2fca66af8da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CBWMJI.bat

Filesize
190B

MD5
32b0195f32eeed471a7e1f73eb6df1a0

SHA1
b844cd7c2a6c3e3a84f3fe951c59242891396a30

SHA256
d2d6c8cd17d46a30dec0c4cc5a268faeff52644b049352d479eb796c6767a35b

SHA512
410b3f0e4cd2e4e529497073ba52b2e676a7cc0752d3a54618230c81866997506919c5ca34c02fd3a8f8cc6ce78922aea500b62db8af2e41e581ecd05985e8a1

Download Submit
memory/3124-13-0x0000000010000000-0x00000000100B8000-memory.dmp

Filesize
736KB

Download
memory/3716-10-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/3716-16-0x0000000010000000-0x00000000100B8000-memory.dmp

Filesize
736KB

Download
memory/4880-0-0x0000000010000000-0x00000000100B8000-memory.dmp

Filesize
736KB

Download
memory/4880-1-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/4880-4-0x0000000010000000-0x00000000100B8000-memory.dmp

Filesize
736KB

Download
memory/4880-14-0x0000000010000000-0x00000000100B8000-memory.dmp

Filesize
736KB

Download