8e50dabdb2317738612998fcc21750ec244e430ab7e669754d83ac6b9f66f627

Analysis

max time kernel
148s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 02:54

Target

254c3fe6bfe378135b288c697667c869.exe
Size

630KB
MD5

254c3fe6bfe378135b288c697667c869
SHA1

f28e98d9da3b37925011228aee3fb799946abcab
SHA256

8e50dabdb2317738612998fcc21750ec244e430ab7e669754d83ac6b9f66f627
SHA512

bd69badce4a5bb71ed5aea097be36d9fc09fbe350597a76c20f858682e7047b54bee3a23a2a0e01da37dfaec2192be462973c96be1554baedbcea32af881a0e7
SSDEEP

12288:ZlwS15F7p/tf4rUpBSYp8FCAypb76Iq+5w34t:Zum7pZ4rqxsC/TqKyO

Score

5^/10

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Deleteme.bat	254c3fe6bfe378135b288c697667c869.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\winyouyue.exe	254c3fe6bfe378135b288c697667c869.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\winyouyue.exe	254c3fe6bfe378135b288c697667c869.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 1072	2356	254c3fe6bfe378135b288c697667c869.exe	47
PID 2356 wrote to memory of 1072	2356	254c3fe6bfe378135b288c697667c869.exe	47
PID 2356 wrote to memory of 1072	2356	254c3fe6bfe378135b288c697667c869.exe	47
PID 2356 wrote to memory of 3924	2356	254c3fe6bfe378135b288c697667c869.exe	46
PID 2356 wrote to memory of 3924	2356	254c3fe6bfe378135b288c697667c869.exe	46

C:\Users\Admin\AppData\Local\Temp\254c3fe6bfe378135b288c697667c869.exe
"C:\Users\Admin\AppData\Local\Temp\254c3fe6bfe378135b288c697667c869.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:3924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\Deleteme.bat
  2⤵
  PID:1072

C:\Windows\SysWOW64\Deleteme.bat

Filesize
190B

MD5
2008460a09425390479c6e6af8393b07

SHA1
dfa68c983d216fdac3e189e58a7a4170e67381b0

SHA256
e4993c9528225dc35d88fe740e4edbb50568e1f46eb8d72bc8313f6a313fd0f9

SHA512
c1b0479d75a5c10d984a1efe9ee897588f21034df089a33484ea2ed51593c75e237bb96ae094fb3c77f8b6e1251249d2e98d4038c581b8d553291d649c5da575

Download Submit
memory/2356-0-0x0000000000400000-0x00000000004A4200-memory.dmp

Filesize
656KB

Download
memory/2356-1-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/2356-6-0x0000000000400000-0x00000000004A4200-memory.dmp

Filesize
656KB

Download