62c88b88fb3fa0bd718a95b210d3a467891de6442b70338d311b06087bd990fc

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 00:21

Target

0861c5ec7470838e340ba611ecc0051d.exe
Size

100KB
MD5

0861c5ec7470838e340ba611ecc0051d
SHA1

987055c1068a7b7eb2e724f01db87b790ca768a4
SHA256

62c88b88fb3fa0bd718a95b210d3a467891de6442b70338d311b06087bd990fc
SHA512

8f7a37769fdbce7fbad97ae4a942fdb1d4f1cd2376a0c03b39a211558e8586e08d7aca22eec335c5e2efdc69cfc4cf6696263612a4979dd170ebf24096aa424d
SSDEEP

768:odo+UH7YAFoWqjrM1vg//mYdo+Wv8f46QI8HayB3DNlhK:VaAFoT/4vgAhUw6gHBTw

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2012	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2892	0861c5ec7470838e340ba611ecc0051d.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\lnaixnauhqq.cfg	0861c5ec7470838e340ba611ecc0051d.exe
File opened for modification	C:\Windows\SysWOW64\lnaixnauhqq.dll	0861c5ec7470838e340ba611ecc0051d.exe
File created	C:\Windows\SysWOW64\lnaixnauhqq.dll	0861c5ec7470838e340ba611ecc0051d.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2892	0861c5ec7470838e340ba611ecc0051d.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
480	Process not Found

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2012	2892	0861c5ec7470838e340ba611ecc0051d.exe	29
PID 2892 wrote to memory of 2012	2892	0861c5ec7470838e340ba611ecc0051d.exe	29
PID 2892 wrote to memory of 2012	2892	0861c5ec7470838e340ba611ecc0051d.exe	29
PID 2892 wrote to memory of 2012	2892	0861c5ec7470838e340ba611ecc0051d.exe	29

C:\Users\Admin\AppData\Local\Temp\0861c5ec7470838e340ba611ecc0051d.exe
"C:\Users\Admin\AppData\Local\Temp\0861c5ec7470838e340ba611ecc0051d.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\0861c5ec7470838e340ba611ecc0051d.exe"
  2⤵
  - Deletes itself
  PID:2012

memory/2892-7-0x0000000025000000-0x000000002501C000-memory.dmp

Filesize
112KB

Download