b7e2d49633b251b862cde979422c995ae6ce7a98941f13189b09e5b2e3b7939a

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 12:50

Target

36bdd6f995cfe13a617f392a07c03fc9.exe
Size

51KB
MD5

36bdd6f995cfe13a617f392a07c03fc9
SHA1

368787ed6f655bfa7904f6564a2873b3a7a6ceeb
SHA256

b7e2d49633b251b862cde979422c995ae6ce7a98941f13189b09e5b2e3b7939a
SHA512

7e9631a6288a92cd61d328a4a62744eba358bbcefdfb45ec27a2874bc654fe07a3be6812f110f50401f7723bd63256ab501c856ac09f0e1a9d258b6cd32fe0c5
SSDEEP

768:O0usie8+SYWwPH8kYNg4IpFQn8tY1k/EHVZO9KLztuW:O0udL+SYWwv/S8t+k6eSsW

Score

7^/10

Deletes itself 1 IoCs

pid	Process
1532	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1620	vylqxudo.exe

Loads dropped DLL 2 IoCs

pid	Process
2416	36bdd6f995cfe13a617f392a07c03fc9.exe
2416	36bdd6f995cfe13a617f392a07c03fc9.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2416	36bdd6f995cfe13a617f392a07c03fc9.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 1620	2416	36bdd6f995cfe13a617f392a07c03fc9.exe	33
PID 2416 wrote to memory of 1620	2416	36bdd6f995cfe13a617f392a07c03fc9.exe	33
PID 2416 wrote to memory of 1620	2416	36bdd6f995cfe13a617f392a07c03fc9.exe	33
PID 2416 wrote to memory of 1620	2416	36bdd6f995cfe13a617f392a07c03fc9.exe	33
PID 2416 wrote to memory of 1532	2416	36bdd6f995cfe13a617f392a07c03fc9.exe	32
PID 2416 wrote to memory of 1532	2416	36bdd6f995cfe13a617f392a07c03fc9.exe	32
PID 2416 wrote to memory of 1532	2416	36bdd6f995cfe13a617f392a07c03fc9.exe	32
PID 2416 wrote to memory of 1532	2416	36bdd6f995cfe13a617f392a07c03fc9.exe	32

C:\Users\Admin\AppData\Local\Temp\36bdd6f995cfe13a617f392a07c03fc9.exe
"C:\Users\Admin\AppData\Local\Temp\36bdd6f995cfe13a617f392a07c03fc9.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\SysWOW64\cmd.exe
  /c del /f C:\Users\Admin\AppData\Local\Temp\36BDD6~1.EXE.bak >> NUL
  2⤵
  - Deletes itself
  PID:1532
- C:\ProgramData\tglsfong\vylqxudo.exe
  C:\ProgramData\tglsfong\vylqxudo.exe
  2⤵
  - Executes dropped EXE
  PID:1620

\ProgramData\tglsfong\vylqxudo.exe

Filesize
51KB

MD5
36bdd6f995cfe13a617f392a07c03fc9

SHA1
368787ed6f655bfa7904f6564a2873b3a7a6ceeb

SHA256
b7e2d49633b251b862cde979422c995ae6ce7a98941f13189b09e5b2e3b7939a

SHA512
7e9631a6288a92cd61d328a4a62744eba358bbcefdfb45ec27a2874bc654fe07a3be6812f110f50401f7723bd63256ab501c856ac09f0e1a9d258b6cd32fe0c5

Download Submit