fca37947dead6e48532b221ceee3ce793648f2f8d628e53c0e083ce7a5728a94

Analysis

max time kernel
138s
max time network
161s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 18:06

Target

0007769abe33d86241803b8d406bf7ec.exe
Size

60KB
MD5

0007769abe33d86241803b8d406bf7ec
SHA1

91043345c325c399512526d2747930ae26060868
SHA256

fca37947dead6e48532b221ceee3ce793648f2f8d628e53c0e083ce7a5728a94
SHA512

beca1fb0c2fe230ae70a95a2b37523a79ecc6c43b17507d0bdb174581e966970a6ea7e947fa7061a46a80e440494703fb51bfdfa0e6eaa0940ec3bc6d6f90788
SSDEEP

768:c6Q4sFnBNSROBq1LE1HcCWMDc8OHC4OBifHhTZNB8+EqwCwXw2:HmFnnmOBqC18Lqc8mZJTPB8vqwCsw

Score

7^/10

Deletes itself 1 IoCs

pid	Process
532	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
776	yrovuvwb.exe

Loads dropped DLL 2 IoCs

pid	Process
1716	0007769abe33d86241803b8d406bf7ec.exe
1716	0007769abe33d86241803b8d406bf7ec.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1716	0007769abe33d86241803b8d406bf7ec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 776	1716	0007769abe33d86241803b8d406bf7ec.exe	31
PID 1716 wrote to memory of 776	1716	0007769abe33d86241803b8d406bf7ec.exe	31
PID 1716 wrote to memory of 776	1716	0007769abe33d86241803b8d406bf7ec.exe	31
PID 1716 wrote to memory of 776	1716	0007769abe33d86241803b8d406bf7ec.exe	31
PID 1716 wrote to memory of 532	1716	0007769abe33d86241803b8d406bf7ec.exe	32
PID 1716 wrote to memory of 532	1716	0007769abe33d86241803b8d406bf7ec.exe	32
PID 1716 wrote to memory of 532	1716	0007769abe33d86241803b8d406bf7ec.exe	32
PID 1716 wrote to memory of 532	1716	0007769abe33d86241803b8d406bf7ec.exe	32

C:\Users\Admin\AppData\Local\Temp\0007769abe33d86241803b8d406bf7ec.exe
"C:\Users\Admin\AppData\Local\Temp\0007769abe33d86241803b8d406bf7ec.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1716
- C:\ProgramData\qfilcrwn\yrovuvwb.exe
  C:\ProgramData\qfilcrwn\yrovuvwb.exe
  2⤵
  - Executes dropped EXE
  PID:776
- C:\Windows\SysWOW64\cmd.exe
  /c del /f C:\Users\Admin\AppData\Local\Temp\000776~1.EXE.bak >> NUL
  2⤵
  - Deletes itself
  PID:532

\ProgramData\qfilcrwn\yrovuvwb.exe

Filesize
60KB

MD5
0007769abe33d86241803b8d406bf7ec

SHA1
91043345c325c399512526d2747930ae26060868

SHA256
fca37947dead6e48532b221ceee3ce793648f2f8d628e53c0e083ce7a5728a94

SHA512
beca1fb0c2fe230ae70a95a2b37523a79ecc6c43b17507d0bdb174581e966970a6ea7e947fa7061a46a80e440494703fb51bfdfa0e6eaa0940ec3bc6d6f90788

Download Submit