615461a4b5f031337570690a9f0c15393f05201b5c7d98b01e26d6f359658a2e

Analysis

max time kernel
8s
max time network
131s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 02:13

Target

0b499ef5478c831a409feebc5ebb23fa.exe
Size

188KB
MD5

0b499ef5478c831a409feebc5ebb23fa
SHA1

36f48db551dca2d7bc5cbb50a2af5532f74868b3
SHA256

615461a4b5f031337570690a9f0c15393f05201b5c7d98b01e26d6f359658a2e
SHA512

192d76afad30505a354f8061adb9afa2f571f4d06f5d965649a641d7a01b29fc6818685237305a0cee559894340b4bd5bcc79685eb8dfeab484a466cad6c19fb
SSDEEP

3072:UCmL6hBoNF4vaZOIYNLJPmWxwfgKO57TrR30zVAAJSBptmcf6ihCo1a64CuEHEOd:PmL6hBDYOIYvPmW2fE57TrCAAUA3iBQ2

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
3008	xpos.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\windows\xpos.exe	0b499ef5478c831a409feebc5ebb23fa.exe
File created	C:\windows\xpos.exe	0b499ef5478c831a409feebc5ebb23fa.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 888 wrote to memory of 1732	888	0b499ef5478c831a409feebc5ebb23fa.exe	18
PID 888 wrote to memory of 1732	888	0b499ef5478c831a409feebc5ebb23fa.exe	18
PID 888 wrote to memory of 1732	888	0b499ef5478c831a409feebc5ebb23fa.exe	18
PID 888 wrote to memory of 1732	888	0b499ef5478c831a409feebc5ebb23fa.exe	18
PID 1732 wrote to memory of 1520	1732	net.exe	16
PID 1732 wrote to memory of 1520	1732	net.exe	16
PID 1732 wrote to memory of 1520	1732	net.exe	16
PID 1732 wrote to memory of 1520	1732	net.exe	16
PID 888 wrote to memory of 3008	888	0b499ef5478c831a409feebc5ebb23fa.exe	35
PID 888 wrote to memory of 3008	888	0b499ef5478c831a409feebc5ebb23fa.exe	35
PID 888 wrote to memory of 3008	888	0b499ef5478c831a409feebc5ebb23fa.exe	35
PID 888 wrote to memory of 3008	888	0b499ef5478c831a409feebc5ebb23fa.exe	35
PID 3008 wrote to memory of 2128	3008	xpos.exe	34
PID 3008 wrote to memory of 2128	3008	xpos.exe	34
PID 3008 wrote to memory of 2128	3008	xpos.exe	34
PID 3008 wrote to memory of 2128	3008	xpos.exe	34
PID 2128 wrote to memory of 2584	2128	net.exe	32
PID 2128 wrote to memory of 2584	2128	net.exe	32
PID 2128 wrote to memory of 2584	2128	net.exe	32
PID 2128 wrote to memory of 2584	2128	net.exe	32

C:\Users\Admin\AppData\Local\Temp\0b499ef5478c831a409feebc5ebb23fa.exe
"C:\Users\Admin\AppData\Local\Temp\0b499ef5478c831a409feebc5ebb23fa.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:888
- C:\Windows\SysWOW64\net.exe
  net stop SharedAccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1732
- C:\windows\xpos.exe
  C:\windows\xpos.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SharedAccess
1⤵
PID:1520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SharedAccess
1⤵
PID:2584

C:\Windows\SysWOW64\net.exe
net stop SharedAccess
1⤵
- Suspicious use of WriteProcessMemory
PID:2128

memory/888-0-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/888-9-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3008-8-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/3008-442-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3008-665-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download