18894690e6634617b06f2b6d27710696edaed54bd40fd4462d408213560d1252

Analysis

max time kernel
141s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 02:35

Target

24aa2147f860007f151193a902987783.exe
Size

18KB
MD5

24aa2147f860007f151193a902987783
SHA1

ab6f3c1f5a03e1fe48566a85a44641f0e95a910f
SHA256

18894690e6634617b06f2b6d27710696edaed54bd40fd4462d408213560d1252
SHA512

3a2f0f4752ceafc1a7d88799ba2f4da06db32209435c47e1ab5e0f15dc182ba450cc9caf4ef1519b7b147d7dc80ee02c4fcd7d42ff43f22bb1d90a01721c4869
SSDEEP

384:mnrHV2vDWpqoiQzNAgw5StyRRI9OfQCjvYg3FLJWQBrlqhTl:mrHV2IqVQzNAgwY4oCMg3bW8r4l

Score

7^/10

Deletes itself 1 IoCs

pid	Process
1112	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2076	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dfoldesr.dll	24aa2147f860007f151193a902987783.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2220 set thread context of 2076	2220	24aa2147f860007f151193a902987783.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2220	24aa2147f860007f151193a902987783.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2076	2220	24aa2147f860007f151193a902987783.exe	28
PID 2220 wrote to memory of 2076	2220	24aa2147f860007f151193a902987783.exe	28
PID 2220 wrote to memory of 2076	2220	24aa2147f860007f151193a902987783.exe	28
PID 2220 wrote to memory of 2076	2220	24aa2147f860007f151193a902987783.exe	28
PID 2220 wrote to memory of 2076	2220	24aa2147f860007f151193a902987783.exe	28
PID 2220 wrote to memory of 1112	2220	24aa2147f860007f151193a902987783.exe	29
PID 2220 wrote to memory of 1112	2220	24aa2147f860007f151193a902987783.exe	29
PID 2220 wrote to memory of 1112	2220	24aa2147f860007f151193a902987783.exe	29
PID 2220 wrote to memory of 1112	2220	24aa2147f860007f151193a902987783.exe	29

C:\Users\Admin\AppData\Local\Temp\24aa2147f860007f151193a902987783.exe
"C:\Users\Admin\AppData\Local\Temp\24aa2147f860007f151193a902987783.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Loads dropped DLL
  PID:2076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\DEL.bat
  2⤵
  - Deletes itself
  PID:1112

C:\DEL.bat

Filesize
182B

MD5
9db1945c8a2dae8b699ef8d22090fd28

SHA1
1b6a630a5ab247e465a4e336c6de304f7251f8e4

SHA256
c530973ccff7197e48b83bec9e172197a6633c38cbeffe410ad4563c17312b9c

SHA512
f856a465caea5f4c3e83ffe8d32220b1214210d9de8eb415324deef23956a0a7117d7403a26f58ccb09a13eb840671974b4d6b50b8b18750c61f60469952cb67

Download Submit
C:\Windows\SysWOW64\dfoldesr.dll

Filesize
18KB

MD5
6563589cd1607cbec8d7a2f080a18275

SHA1
b7ae0152ac0282e8b260d147358553a3540fa639

SHA256
595cb3c7a10349fb661436df8a254ec78bb7f19f24071f4e416549859ec5d739

SHA512
1cf7918e95ac62dba60f049a57cf883239c3c62ab0d94104e5e036bf858f72b4c207df11af5d3efb92b991cd55561a8d003d2c5e5778ada539f491d0405c9ac5

Download Submit
memory/2076-3-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2076-12-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2076-17-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/2220-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2220-2-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2220-15-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download