48a3f6109a55c4227a22bf617b17994618ceb470bb515b1fdcafc6f66a33736c

Analysis

max time kernel
121s
max time network
138s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 21:22

Target

1cd68275af3e896c65c5c7ff3e66b0c4.exe
Size

57KB
MD5

1cd68275af3e896c65c5c7ff3e66b0c4
SHA1

aa8640a7051bafa8705aefa2b5ae0d1314f0f372
SHA256

48a3f6109a55c4227a22bf617b17994618ceb470bb515b1fdcafc6f66a33736c
SHA512

2ed1ac6608f35e3876a785b1c8b846801122ecc14ebff4ce9ded1039f7a88990d2e47ef1b4f57b1abe8e40183e3927dfcb66b06b4eba811084e8ebcb09f31cf4
SSDEEP

768:vCru/f9Iw/E6zy4n8uZ5tUXMJ+fROUmELY2glEbM3j+rd+fpRiTWNReOOe:71Tzy48untU8fOMEI3jyYfPiuOe

Score

1^/10

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 3048	2280	1cd68275af3e896c65c5c7ff3e66b0c4.exe	29
PID 2280 wrote to memory of 3048	2280	1cd68275af3e896c65c5c7ff3e66b0c4.exe	29
PID 2280 wrote to memory of 3048	2280	1cd68275af3e896c65c5c7ff3e66b0c4.exe	29
PID 2280 wrote to memory of 3048	2280	1cd68275af3e896c65c5c7ff3e66b0c4.exe	29
PID 3048 wrote to memory of 2756	3048	cmd.exe	30
PID 3048 wrote to memory of 2756	3048	cmd.exe	30
PID 3048 wrote to memory of 2756	3048	cmd.exe	30
PID 3048 wrote to memory of 2756	3048	cmd.exe	30
PID 2756 wrote to memory of 2780	2756	iexpress.exe	31
PID 2756 wrote to memory of 2780	2756	iexpress.exe	31
PID 2756 wrote to memory of 2780	2756	iexpress.exe	31
PID 2756 wrote to memory of 2780	2756	iexpress.exe	31

C:\Users\Admin\AppData\Local\Temp\1cd68275af3e896c65c5c7ff3e66b0c4.exe
"C:\Users\Admin\AppData\Local\Temp\1cd68275af3e896c65c5c7ff3e66b0c4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\84D9.tmp\1.bat" "C:\Users\Admin\AppData\Local\Temp\1cd68275af3e896c65c5c7ff3e66b0c4.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\SysWOW64\iexpress.exe
    iexpress /n /q /m C:\Users\Admin\AppData\Local\Temp\popup.sed
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\makecab.exe
      C:\Windows\SysWOW64\makecab.exe /f "~%TargetName%.DDF"
      4⤵
      PID:2780

C:\Users\Admin\AppData\Local\Temp\84D9.tmp\1.bat

Filesize
1KB

MD5
02dba5f37067292355c6d01a57d4ef48

SHA1
7c67ab3f99fbf7a53018dd295d2968c525db83d9

SHA256
8b74c812ba9e6c536da7edd4101e7e0dddeab8355e5aff095dd31b3f00560242

SHA512
12201f949ee3198c8f4b39cc8edf90a114ecf42ddd5383ed0b87e4c78053cd517786dc7af83557e63a0483af74f4c0117d5568441ae761ff6958e758704d602a

Download Submit
C:\Users\Admin\AppData\Local\Temp\popup.sed

Filesize
57KB

MD5
fbf0bdec1af3bf7a05b0f0117a0fc4a8

SHA1
ba31b1af43ff36753bd4a6607e49fdb34feb7059

SHA256
4f89718416c63354a4b820a69e141f53f05d526be82f686ca21841f0caba9180

SHA512
5432a35757d3b323ab094ecb4df95cb51a4e52ee90710e7f26dc1636a12ad5a67e682c641acb973a472aea4f2bc88631d466369af87f5ced44e9814e85cf9fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\~%TargetName%.DDF

Filesize
724B

MD5
c3ca008abd6997c4b036a7e8be75cb2c

SHA1
05f7a3527bb04c691b08f040f562582035398829

SHA256
29ef6bf47dcc8c67f1abe1b269d3518d6a4ebe125daa1ea460779638cb9782a3

SHA512
bee0baf3cb83144239077f99f5ca2a6ca7b618f7f51a53e03613ae697e8bc76fa28f5d006296b469be8e1fffeeb35668b5fe87b260b1380cc003815ea9efb083

Download Submit