5b4ebf8e05acdb97390210c9a8ffde46098142a4b1307da09706e2268528515a

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 11:55

Target

17af031ef2dd493957bfa0537da27090.exe
Size

355KB
MD5

17af031ef2dd493957bfa0537da27090
SHA1

ef239cd5de2ceb16b07501d9bc63e57e8d826ad4
SHA256

5b4ebf8e05acdb97390210c9a8ffde46098142a4b1307da09706e2268528515a
SHA512

8c96c292154cef26bcfec36477deaa4906f878ad2e5139dce26ab942182f6304483605ef9acf48f7a26df42d6400679ba80ba9f88b6ab409218c2a3dedee6e7e
SSDEEP

6144:JxpwP/CaiMF2idZecnl20lHRxp3gZ0yCKDmbVTy4oZKUjwlQ:HpwPaafF3Z4mxx80yzDYG4qKow2

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2488	cmd.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\qqmm.vxd	17af031ef2dd493957bfa0537da27090.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92B1E825-2EEF-44E5-8748-7639C7C9935F}	17af031ef2dd493957bfa0537da27090.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92B1E825-2EEF-44E5-8748-7639C7C9935F}\	17af031ef2dd493957bfa0537da27090.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92B1E825-2EEF-44E5-8748-7639C7C9935F}\InProcServer32	17af031ef2dd493957bfa0537da27090.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92B1E825-2EEF-44E5-8748-7639C7C9935F}\InProcServer32\ = "C:\\Windows\\SysWow64\\qqmm.vxd"	17af031ef2dd493957bfa0537da27090.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92B1E825-2EEF-44E5-8748-7639C7C9935F}\InProcServer32\ThreadingModel = "Apartment"	17af031ef2dd493957bfa0537da27090.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 2488	1040	17af031ef2dd493957bfa0537da27090.exe	17
PID 1040 wrote to memory of 2488	1040	17af031ef2dd493957bfa0537da27090.exe	17
PID 1040 wrote to memory of 2488	1040	17af031ef2dd493957bfa0537da27090.exe	17
PID 1040 wrote to memory of 2488	1040	17af031ef2dd493957bfa0537da27090.exe	17

C:\Users\Admin\AppData\Local\Temp\17af031ef2dd493957bfa0537da27090.exe
"C:\Users\Admin\AppData\Local\Temp\17af031ef2dd493957bfa0537da27090.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 17af031ef2dd493957bfa0537da27090.exe_deleteme.bat
  2⤵
  - Deletes itself
  PID:2488

C:\Users\Admin\AppData\Local\Temp\17af031ef2dd493957bfa0537da27090.exe_deleteme.bat

Filesize
184B

MD5
ed4546c51579aaf40c79413a474b2d6e

SHA1
4e18131bc13269200ee87c67478120097770b1eb

SHA256
6fbdc34602822083feea2961e88269c3b8b8cbdf949f7b48ca3ad3fe70f20a51

SHA512
8e2989e6c0bd522f34d9a9a0f9c015b611f05fac07c3096eeb8142ab39dcceffc4edea4d7030fb53ce9bff7003834a203c9ad019f7f2affa81739bb9ac1d47a0

Download Submit
memory/1040-12-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1040-15-0x0000000000310000-0x0000000000364000-memory.dmp

Filesize
336KB

Download
memory/1040-14-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1040-13-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1040-5-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1040-2-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/1040-1-0x0000000000310000-0x0000000000364000-memory.dmp

Filesize
336KB

Download
memory/1040-0-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download