472be922ad532cd905370a72f1b16a6cd2c19303b9e8706e075d596b5247e058

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 23:19

Target

06b8d00a2d0d091d642be51d6ec1eb68.exe
Size

9KB
MD5

06b8d00a2d0d091d642be51d6ec1eb68
SHA1

2a44ff51c87d13490dcce8e39e23f8dafbd163b3
SHA256

472be922ad532cd905370a72f1b16a6cd2c19303b9e8706e075d596b5247e058
SHA512

79c857acce3cc51009fdacd8f78237d75812bcbe0725b9e4cbc70d4084b3d998e58e234af0f93a819f5018b011d0c3a1de4bc28d6ed2a475a8f1cfb0bcc25bdc
SSDEEP

192:hdLOo5hsebbJcrXbpLtBnmGRVDGTOLZD9YgDAY7zQbaujap:uewb1mGVDh/AY7zQbaQY

Score

7^/10

Deletes itself 1 IoCs

pid	Process
1996	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2256	06b8d00a2d0d091d642be51d6ec1eb68.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\adsntzt.tmp	06b8d00a2d0d091d642be51d6ec1eb68.exe
File opened for modification	C:\Windows\SysWOW64\adsntzt.tmp	06b8d00a2d0d091d642be51d6ec1eb68.exe
File opened for modification	C:\Windows\SysWOW64\adsntzt.nls	06b8d00a2d0d091d642be51d6ec1eb68.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2256	06b8d00a2d0d091d642be51d6ec1eb68.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2256	06b8d00a2d0d091d642be51d6ec1eb68.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 1996	2256	06b8d00a2d0d091d642be51d6ec1eb68.exe	29
PID 2256 wrote to memory of 1996	2256	06b8d00a2d0d091d642be51d6ec1eb68.exe	29
PID 2256 wrote to memory of 1996	2256	06b8d00a2d0d091d642be51d6ec1eb68.exe	29
PID 2256 wrote to memory of 1996	2256	06b8d00a2d0d091d642be51d6ec1eb68.exe	29

C:\Users\Admin\AppData\Local\Temp\06b8d00a2d0d091d642be51d6ec1eb68.exe
"C:\Users\Admin\AppData\Local\Temp\06b8d00a2d0d091d642be51d6ec1eb68.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\25D8.tmp.bat
  2⤵
  - Deletes itself
  PID:1996

C:\Users\Admin\AppData\Local\Temp\25D8.tmp.bat

Filesize
179B

MD5
ef7822a234beacb7005ea2b47ebdcd6f

SHA1
63fedad712f7dceca7ca7a842f799903cf24b79e

SHA256
22a22b166e8728af1126529a6809b211fef5f329992e3e5e379aaecaae14bf3f

SHA512
0e87bacce49c7b19cf40e2ba52c42a9ac1961371d77606debbe5fae33aed0f820d8c6671b94641c3fe9ecae1d2d258ee5e73de8cef2f6d8f6df927980a0bf28f

Download Submit