44f1ee5b52094efeedc0c924455cd715721f5c4e7537ae0f9256166fe828a929

Analysis

max time kernel
140s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 03:40

Target

26b3d8517a6c34016a83b4b924f19f08.exe
Size

870KB
MD5

26b3d8517a6c34016a83b4b924f19f08
SHA1

8ef681ec099c8cde8932b5675fe3961e61b3fa70
SHA256

44f1ee5b52094efeedc0c924455cd715721f5c4e7537ae0f9256166fe828a929
SHA512

eaefe5aeab2529fe2d8bdf2f6d52f79c5eee3d0c026337c5b66a0e12db31557d8b1cd3de696b89c5690038d300916c0b9bb8cbad39f6ed683085f923029e3eb2
SSDEEP

12288:KrdNvuZ2wdF/fKFQPfAvXUzC/eCXJFWUA3Q6v6SVc0hYEbqpU:KrH2ZxF/flPo2UrJFWhTvTY+qm

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
4864	rund1l.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rund1l.exe	26b3d8517a6c34016a83b4b924f19f08.exe
File opened for modification	C:\Windows\SysWOW64\rund1l.exe	26b3d8517a6c34016a83b4b924f19f08.exe
File opened for modification	C:\Windows\SysWOW64\rund1l.exe	rund1l.exe
File created	C:\Windows\SysWOW64\Deleteme.bat	26b3d8517a6c34016a83b4b924f19f08.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 4864	2264	26b3d8517a6c34016a83b4b924f19f08.exe	40
PID 2264 wrote to memory of 4864	2264	26b3d8517a6c34016a83b4b924f19f08.exe	40
PID 2264 wrote to memory of 4864	2264	26b3d8517a6c34016a83b4b924f19f08.exe	40
PID 2264 wrote to memory of 2556	2264	26b3d8517a6c34016a83b4b924f19f08.exe	39
PID 2264 wrote to memory of 2556	2264	26b3d8517a6c34016a83b4b924f19f08.exe	39
PID 2264 wrote to memory of 2556	2264	26b3d8517a6c34016a83b4b924f19f08.exe	39

C:\Users\Admin\AppData\Local\Temp\26b3d8517a6c34016a83b4b924f19f08.exe
"C:\Users\Admin\AppData\Local\Temp\26b3d8517a6c34016a83b4b924f19f08.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\Deleteme.bat
  2⤵
  PID:2556
- C:\Windows\SysWOW64\rund1l.exe
  C:\Windows\system32\rund1l.exe -NetSata
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4864

memory/2264-2-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2264-10-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4864-8-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4864-6-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download