cb6f0350e4ae46ba4f9037648406ba7a6066e0eb3097286bbd78e5ee27eb71b4

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 14:20

Target

1b3d14682e796ed7749469e8e2003ccc.exe
Size

27KB
MD5

1b3d14682e796ed7749469e8e2003ccc
SHA1

4b4ca1cf7796a2d59c7ebfed2d34eba107576e99
SHA256

cb6f0350e4ae46ba4f9037648406ba7a6066e0eb3097286bbd78e5ee27eb71b4
SHA512

b133d6918eb3180915dea5a0e9ddf03250b993863ee0baced5545432c54b877b2e37f975b517857d36c3ef98333cf5cfca4f18b722df53d500892b3971dcc9ac
SSDEEP

384:Rjk/A6WET7A5tRIoTS/DdJjjXNHN1doc0lZoEbtxb1JZoZs2daBl1bQg1k:Rjk/A6WYBD3XvQcq9xHqZjk/k

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2712	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2728	NTdhcp.exe

Loads dropped DLL 2 IoCs

pid	Process
2428	1b3d14682e796ed7749469e8e2003ccc.exe
2428	1b3d14682e796ed7749469e8e2003ccc.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\NTdhcp.exe	1b3d14682e796ed7749469e8e2003ccc.exe
File opened for modification	C:\Windows\SysWOW64\NTdhcp.exe	1b3d14682e796ed7749469e8e2003ccc.exe
File opened for modification	C:\Windows\SysWOW64\NTdhcp.exe	NTdhcp.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Deleteme.bat	1b3d14682e796ed7749469e8e2003ccc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2728	2428	1b3d14682e796ed7749469e8e2003ccc.exe	16
PID 2428 wrote to memory of 2728	2428	1b3d14682e796ed7749469e8e2003ccc.exe	16
PID 2428 wrote to memory of 2728	2428	1b3d14682e796ed7749469e8e2003ccc.exe	16
PID 2428 wrote to memory of 2728	2428	1b3d14682e796ed7749469e8e2003ccc.exe	16
PID 2428 wrote to memory of 2712	2428	1b3d14682e796ed7749469e8e2003ccc.exe	15
PID 2428 wrote to memory of 2712	2428	1b3d14682e796ed7749469e8e2003ccc.exe	15
PID 2428 wrote to memory of 2712	2428	1b3d14682e796ed7749469e8e2003ccc.exe	15
PID 2428 wrote to memory of 2712	2428	1b3d14682e796ed7749469e8e2003ccc.exe	15

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\Deleteme.bat
1⤵
- Deletes itself
PID:2712

\Windows\SysWOW64\NTdhcp.exe

Filesize
27KB

MD5
1b3d14682e796ed7749469e8e2003ccc

SHA1
4b4ca1cf7796a2d59c7ebfed2d34eba107576e99

SHA256
cb6f0350e4ae46ba4f9037648406ba7a6066e0eb3097286bbd78e5ee27eb71b4

SHA512
b133d6918eb3180915dea5a0e9ddf03250b993863ee0baced5545432c54b877b2e37f975b517857d36c3ef98333cf5cfca4f18b722df53d500892b3971dcc9ac

Download Submit
memory/2428-11-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/2428-21-0x0000000000400000-0x0000000000416200-memory.dmp

Filesize
88KB

Download
memory/2428-4-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/2428-0-0x0000000000400000-0x0000000000416200-memory.dmp

Filesize
88KB

Download
memory/2728-14-0x0000000000400000-0x0000000000416200-memory.dmp

Filesize
88KB

Download