6a6599afc0d9fc549a9b42596fb4cccf2f2841573d4759b1acd038cc54135b12

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 04:33

Target

284dd545e69b6ea602f7611e73cbdb03.exe
Size

208KB
MD5

284dd545e69b6ea602f7611e73cbdb03
SHA1

f75d38e8fb21c869c95d8d86023b8ac4cf2ca1cc
SHA256

6a6599afc0d9fc549a9b42596fb4cccf2f2841573d4759b1acd038cc54135b12
SHA512

dc21819f8f180b4724e6776d32e46c24b6a2d4b3a1893aa66d8c5df4b625adfaa4655f91f4f61c37b2f2f0d786224761a0aa8ac3f08e0e86a7f0810c21ad9efa
SSDEEP

6144:Xl2qyfNCDVWV7IR9WcRhKTYtewWMdtnQ9:MjNmVWV7MWcRwTKYMdtn

Score

7^/10

Executes dropped EXE 3 IoCs

Loads dropped DLL 6 IoCs

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2792	2448	284dd545e69b6ea602f7611e73cbdb03.exe	17
PID 2448 wrote to memory of 2792	2448	284dd545e69b6ea602f7611e73cbdb03.exe	17
PID 2448 wrote to memory of 2792	2448	284dd545e69b6ea602f7611e73cbdb03.exe	17
PID 2448 wrote to memory of 2792	2448	284dd545e69b6ea602f7611e73cbdb03.exe	17
PID 2792 wrote to memory of 2080	2792	cmd.exe	16
PID 2792 wrote to memory of 2080	2792	cmd.exe	16
PID 2792 wrote to memory of 2080	2792	cmd.exe	16
PID 2792 wrote to memory of 2080	2792	cmd.exe	16
PID 2792 wrote to memory of 2744	2792	cmd.exe	33
PID 2792 wrote to memory of 2744	2792	cmd.exe	33
PID 2792 wrote to memory of 2744	2792	cmd.exe	33
PID 2792 wrote to memory of 2744	2792	cmd.exe	33
PID 2744 wrote to memory of 2500	2744	u.dll	32
PID 2744 wrote to memory of 2500	2744	u.dll	32
PID 2744 wrote to memory of 2500	2744	u.dll	32
PID 2744 wrote to memory of 2500	2744	u.dll	32
PID 2792 wrote to memory of 320	2792	cmd.exe	31
PID 2792 wrote to memory of 320	2792	cmd.exe	31
PID 2792 wrote to memory of 320	2792	cmd.exe	31
PID 2792 wrote to memory of 320	2792	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\284dd545e69b6ea602f7611e73cbdb03.exe
"C:\Users\Admin\AppData\Local\Temp\284dd545e69b6ea602f7611e73cbdb03.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FB50.tmp\vir.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    PID:320
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2744

C:\Users\Admin\AppData\Local\Temp\u.dll
u.dll -bat vir.bat -save 284dd545e69b6ea602f7611e73cbdb03.exe.com -include s.dll -overwrite -nodelete
1⤵
- Executes dropped EXE
PID:2080

C:\Users\Admin\AppData\Local\Temp\1719.tmp\mpress.exe
"C:\Users\Admin\AppData\Local\Temp\1719.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe171A.tmp"
1⤵
- Executes dropped EXE
PID:2500

memory/2448-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2448-109-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2500-93-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2500-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-95-0x00000000004C0000-0x00000000004F4000-memory.dmp

Filesize
208KB

Download
memory/2744-91-0x00000000004C0000-0x00000000004F4000-memory.dmp

Filesize
208KB

Download