44fcf5c869785524b1c879d63c248323aff2f7d99acbd13457fb1d576f3de769

Analysis

max time kernel
142s
max time network
133s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 00:49

Target

223c827ce6363502ea2cc3dc966561dc.exe
Size

15KB
MD5

223c827ce6363502ea2cc3dc966561dc
SHA1

46e4442f959fec64102ee0781587a688ce2e2834
SHA256

44fcf5c869785524b1c879d63c248323aff2f7d99acbd13457fb1d576f3de769
SHA512

0c5f6d693952be9e07052f5dd084460c3aa7d28f185d82356fb2d6443166528c0cad581267e181080361484f3ed4f2b7a8b6b7c39b44e3b2de02af7c99655d0c
SSDEEP

192:ngXGSf7qLl5u3Qz9N5dLnSR2tIlO1zSoYVP4UNnyJQHvAEZTIxKxHoGvW:if7e8uLGvOLYqUEevAExubGvW

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2208	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2488	system.exe

Loads dropped DLL 2 IoCs

pid	Process
2052	223c827ce6363502ea2cc3dc966561dc.exe
2052	223c827ce6363502ea2cc3dc966561dc.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	223c827ce6363502ea2cc3dc966561dc.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	223c827ce6363502ea2cc3dc966561dc.exe
File created	C:\Windows\SysWOW64\jiu.txt	223c827ce6363502ea2cc3dc966561dc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2488	2052	223c827ce6363502ea2cc3dc966561dc.exe	28
PID 2052 wrote to memory of 2488	2052	223c827ce6363502ea2cc3dc966561dc.exe	28
PID 2052 wrote to memory of 2488	2052	223c827ce6363502ea2cc3dc966561dc.exe	28
PID 2052 wrote to memory of 2488	2052	223c827ce6363502ea2cc3dc966561dc.exe	28
PID 2052 wrote to memory of 2208	2052	223c827ce6363502ea2cc3dc966561dc.exe	29
PID 2052 wrote to memory of 2208	2052	223c827ce6363502ea2cc3dc966561dc.exe	29
PID 2052 wrote to memory of 2208	2052	223c827ce6363502ea2cc3dc966561dc.exe	29
PID 2052 wrote to memory of 2208	2052	223c827ce6363502ea2cc3dc966561dc.exe	29

C:\Users\Admin\AppData\Local\Temp\223c827ce6363502ea2cc3dc966561dc.exe
"C:\Users\Admin\AppData\Local\Temp\223c827ce6363502ea2cc3dc966561dc.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /q /a "C:\Users\Admin\AppData\Local\Temp\223c827ce6363502ea2cc3dc966561dc.exe"
  2⤵
  - Deletes itself
  PID:2208

\Windows\SysWOW64\system.exe

Filesize
15KB

MD5
223c827ce6363502ea2cc3dc966561dc

SHA1
46e4442f959fec64102ee0781587a688ce2e2834

SHA256
44fcf5c869785524b1c879d63c248323aff2f7d99acbd13457fb1d576f3de769

SHA512
0c5f6d693952be9e07052f5dd084460c3aa7d28f185d82356fb2d6443166528c0cad581267e181080361484f3ed4f2b7a8b6b7c39b44e3b2de02af7c99655d0c

Download Submit
memory/2052-8-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2488-9-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download