61b6d78da9996b7268edfc3bc77f818c15b2b1120b7d2e5b3c3bf3554f315183

Analysis

max time kernel
239s
max time network
290s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 23:35

Target

0719756f5bb4eae79bc8128a46fe2f4f.exe
Size

28KB
MD5

0719756f5bb4eae79bc8128a46fe2f4f
SHA1

61c2f981b9534840c24a6af63e95b84359bc612e
SHA256

61b6d78da9996b7268edfc3bc77f818c15b2b1120b7d2e5b3c3bf3554f315183
SHA512

a795ae0e89a442c3cd45692ab2f9b1219c4ecf0023e6fce64e6b575c4d18f9717cd22dd51a229cbfdc871ad586af0fe448087ff0fa8f2054e7c1e65b9597c435
SSDEEP

384:kCKbQGufI8mQ9KaonyCvNmp5pnoQVYAtK9pSvILoj6qJx++j+jp0pNpRTZ2n+x0G:k52LKzyqmJnHyAtKzCILCJg+jmivwne

Score

7^/10

Deletes itself 1 IoCs

pid	Process
368	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1208	NTdHcP.exe

Loads dropped DLL 2 IoCs

pid	Process
672	0719756f5bb4eae79bc8128a46fe2f4f.exe
672	0719756f5bb4eae79bc8128a46fe2f4f.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\NTdHcP.exe	0719756f5bb4eae79bc8128a46fe2f4f.exe
File opened for modification	C:\Windows\SysWOW64\NTdHcP.exe	NTdHcP.exe
File created	C:\Windows\SysWOW64\NTdHcP.exe	0719756f5bb4eae79bc8128a46fe2f4f.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Deleteme.bat	0719756f5bb4eae79bc8128a46fe2f4f.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 672 wrote to memory of 1208	672	0719756f5bb4eae79bc8128a46fe2f4f.exe	27
PID 672 wrote to memory of 1208	672	0719756f5bb4eae79bc8128a46fe2f4f.exe	27
PID 672 wrote to memory of 1208	672	0719756f5bb4eae79bc8128a46fe2f4f.exe	27
PID 672 wrote to memory of 1208	672	0719756f5bb4eae79bc8128a46fe2f4f.exe	27
PID 672 wrote to memory of 368	672	0719756f5bb4eae79bc8128a46fe2f4f.exe	28
PID 672 wrote to memory of 368	672	0719756f5bb4eae79bc8128a46fe2f4f.exe	28
PID 672 wrote to memory of 368	672	0719756f5bb4eae79bc8128a46fe2f4f.exe	28
PID 672 wrote to memory of 368	672	0719756f5bb4eae79bc8128a46fe2f4f.exe	28

C:\Users\Admin\AppData\Local\Temp\0719756f5bb4eae79bc8128a46fe2f4f.exe
"C:\Users\Admin\AppData\Local\Temp\0719756f5bb4eae79bc8128a46fe2f4f.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:672
- C:\Windows\SysWOW64\NTdHcP.exe
  C:\Windows\system32\NTdHcP.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\Deleteme.bat
  2⤵
  - Deletes itself
  PID:368

C:\Windows\Deleteme.bat

Filesize
184B

MD5
a844c857bac0b3b82f751a079eb88228

SHA1
2e9aa28e4901b54ce374121e93bdc4a23fb8f0d7

SHA256
b16a487376d09dd3b930fcdbf54a4c114ec47e2a63a1d21042ba6e07d4fdaa38

SHA512
06c960660c188e31ed17fef6c18f85bee06c47caac6e910ae4592cbf05f1dc51a12f2976543de802847215a0cd2269937bddda066b203db408522acd95626076

Download Submit
\Windows\SysWOW64\NTdHcP.exe

Filesize
28KB

MD5
0719756f5bb4eae79bc8128a46fe2f4f

SHA1
61c2f981b9534840c24a6af63e95b84359bc612e

SHA256
61b6d78da9996b7268edfc3bc77f818c15b2b1120b7d2e5b3c3bf3554f315183

SHA512
a795ae0e89a442c3cd45692ab2f9b1219c4ecf0023e6fce64e6b575c4d18f9717cd22dd51a229cbfdc871ad586af0fe448087ff0fa8f2054e7c1e65b9597c435

Download Submit
memory/672-0-0x0000000000400000-0x000000000041D200-memory.dmp

Filesize
116KB

Download
memory/672-1-0x0000000000400000-0x000000000041D200-memory.dmp

Filesize
116KB

Download
memory/672-5-0x0000000000220000-0x000000000023E000-memory.dmp

Filesize
120KB

Download
memory/672-23-0x0000000000400000-0x000000000041D200-memory.dmp

Filesize
116KB

Download
memory/1208-12-0x0000000000400000-0x000000000041D200-memory.dmp

Filesize
116KB

Download
memory/1208-21-0x0000000000400000-0x000000000041D200-memory.dmp

Filesize
116KB

Download