e0537123c59425497b027fe61a9534504c67a23dbb6f07c534b31b14b416eea7

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 02:09

Target

23fe6b875e30cdc5b42d68a9e8237d34.exe
Size

18KB
MD5

23fe6b875e30cdc5b42d68a9e8237d34
SHA1

79da6a25e40487802dbc321f611f60b936d4f894
SHA256

e0537123c59425497b027fe61a9534504c67a23dbb6f07c534b31b14b416eea7
SHA512

ee11b670ec291443d68d377528626ee7ba613922074b4be9ced553ac06cfc2dd800f67c917bd1a7ff56aa026c247e7e830d6fad2c442342df8698714fd586737
SSDEEP

384:aqvf3azNEqLE7/Zgs80YOKdwLzoVFudx6EUu4I1d2GdmIoPVDJEE2wH+:arl0YFYoVgGEUuTdmrVFH+

Score

7^/10

Loads dropped DLL 1 IoCs

pid	Process
1704	23fe6b875e30cdc5b42d68a9e8237d34.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\gdzhtui32.dll	23fe6b875e30cdc5b42d68a9e8237d34.exe
File created	C:\Windows\SysWOW64\gdzhtui32.dll	23fe6b875e30cdc5b42d68a9e8237d34.exe
File opened for modification	C:\Windows\SysWOW64\gdzhtui32.cfg	23fe6b875e30cdc5b42d68a9e8237d34.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1704	23fe6b875e30cdc5b42d68a9e8237d34.exe
1704	23fe6b875e30cdc5b42d68a9e8237d34.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 3608	1704	23fe6b875e30cdc5b42d68a9e8237d34.exe	36
PID 1704 wrote to memory of 3608	1704	23fe6b875e30cdc5b42d68a9e8237d34.exe	36
PID 1704 wrote to memory of 3608	1704	23fe6b875e30cdc5b42d68a9e8237d34.exe	36

C:\Users\Admin\AppData\Local\Temp\23fe6b875e30cdc5b42d68a9e8237d34.exe
"C:\Users\Admin\AppData\Local\Temp\23fe6b875e30cdc5b42d68a9e8237d34.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\23fe6b875e30cdc5b42d68a9e8237d34.exe"
  2⤵
  PID:3608

memory/1704-8-0x0000000025000000-0x000000002501C000-memory.dmp

Filesize
112KB

Download
memory/1704-12-0x0000000025000000-0x000000002501C000-memory.dmp

Filesize
112KB

Download