615461a4b5f031337570690a9f0c15393f05201b5c7d98b01e26d6f359658a2e

Analysis

max time kernel
7s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 02:13

Target

0b499ef5478c831a409feebc5ebb23fa.exe
Size

188KB
MD5

0b499ef5478c831a409feebc5ebb23fa
SHA1

36f48db551dca2d7bc5cbb50a2af5532f74868b3
SHA256

615461a4b5f031337570690a9f0c15393f05201b5c7d98b01e26d6f359658a2e
SHA512

192d76afad30505a354f8061adb9afa2f571f4d06f5d965649a641d7a01b29fc6818685237305a0cee559894340b4bd5bcc79685eb8dfeab484a466cad6c19fb
SSDEEP

3072:UCmL6hBoNF4vaZOIYNLJPmWxwfgKO57TrR30zVAAJSBptmcf6ihCo1a64CuEHEOd:PmL6hBDYOIYvPmW2fE57TrCAAUA3iBQ2

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
1128	xpos.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\windows\xpos.exe	0b499ef5478c831a409feebc5ebb23fa.exe
File opened for modification	C:\windows\xpos.exe	0b499ef5478c831a409feebc5ebb23fa.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 1268	5068	0b499ef5478c831a409feebc5ebb23fa.exe	24
PID 5068 wrote to memory of 1268	5068	0b499ef5478c831a409feebc5ebb23fa.exe	24
PID 5068 wrote to memory of 1268	5068	0b499ef5478c831a409feebc5ebb23fa.exe	24
PID 1268 wrote to memory of 1720	1268	net.exe	19
PID 1268 wrote to memory of 1720	1268	net.exe	19
PID 1268 wrote to memory of 1720	1268	net.exe	19
PID 5068 wrote to memory of 1128	5068	0b499ef5478c831a409feebc5ebb23fa.exe	98
PID 5068 wrote to memory of 1128	5068	0b499ef5478c831a409feebc5ebb23fa.exe	98
PID 5068 wrote to memory of 1128	5068	0b499ef5478c831a409feebc5ebb23fa.exe	98
PID 1128 wrote to memory of 3384	1128	xpos.exe	97
PID 1128 wrote to memory of 3384	1128	xpos.exe	97
PID 1128 wrote to memory of 3384	1128	xpos.exe	97
PID 3384 wrote to memory of 4372	3384	net.exe	95
PID 3384 wrote to memory of 4372	3384	net.exe	95
PID 3384 wrote to memory of 4372	3384	net.exe	95

C:\Users\Admin\AppData\Local\Temp\0b499ef5478c831a409feebc5ebb23fa.exe
"C:\Users\Admin\AppData\Local\Temp\0b499ef5478c831a409feebc5ebb23fa.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Windows\SysWOW64\net.exe
  net stop SharedAccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1268
- C:\windows\xpos.exe
  C:\windows\xpos.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1128

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SharedAccess
1⤵
PID:1720

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SharedAccess
1⤵
PID:4372

C:\Windows\SysWOW64\net.exe
net stop SharedAccess
1⤵
- Suspicious use of WriteProcessMemory
PID:3384

memory/1128-5-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1128-16-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5068-0-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/5068-6-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download