98bc48acd900c6f06072b89c4e7e1bdb74b6c02e2aabfa9de65bff11955d807c

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05-01-2024 07:59

Target

432b9578c0ad9ed418d57d9bb51bcd20.exe
Size

24KB
MD5

432b9578c0ad9ed418d57d9bb51bcd20
SHA1

3910483a8d1e11140bb42f01c328361c451e5572
SHA256

98bc48acd900c6f06072b89c4e7e1bdb74b6c02e2aabfa9de65bff11955d807c
SHA512

3c326b27a320faa3e4a8076a8b967146c5c925cfcd69651a9dd4c550b06a6dd84500b6bbbcb976567fa7b5502420cb0383a3f2cb0af3ceda106a2e7015ce4c00
SSDEEP

384:uZyrOAVI7cfceEAQ8xZoQg0cHYaWjiS+QaRE1m0BFdTDjjwkA:uZJAGc3Edy+IcZzMT3q

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2180	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3040	NTdhcp.exe

Loads dropped DLL 2 IoCs

pid	Process
2932	432b9578c0ad9ed418d57d9bb51bcd20.exe
2932	432b9578c0ad9ed418d57d9bb51bcd20.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\NTdhcp.exe	432b9578c0ad9ed418d57d9bb51bcd20.exe
File opened for modification	C:\Windows\SysWOW64\NTdhcp.exe	432b9578c0ad9ed418d57d9bb51bcd20.exe
File opened for modification	C:\Windows\SysWOW64\NTdhcp.exe	NTdhcp.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Deleteme.bat	432b9578c0ad9ed418d57d9bb51bcd20.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 3040	2932	432b9578c0ad9ed418d57d9bb51bcd20.exe	28
PID 2932 wrote to memory of 3040	2932	432b9578c0ad9ed418d57d9bb51bcd20.exe	28
PID 2932 wrote to memory of 3040	2932	432b9578c0ad9ed418d57d9bb51bcd20.exe	28
PID 2932 wrote to memory of 3040	2932	432b9578c0ad9ed418d57d9bb51bcd20.exe	28
PID 2932 wrote to memory of 2180	2932	432b9578c0ad9ed418d57d9bb51bcd20.exe	30
PID 2932 wrote to memory of 2180	2932	432b9578c0ad9ed418d57d9bb51bcd20.exe	30
PID 2932 wrote to memory of 2180	2932	432b9578c0ad9ed418d57d9bb51bcd20.exe	30
PID 2932 wrote to memory of 2180	2932	432b9578c0ad9ed418d57d9bb51bcd20.exe	30

C:\Users\Admin\AppData\Local\Temp\432b9578c0ad9ed418d57d9bb51bcd20.exe
"C:\Users\Admin\AppData\Local\Temp\432b9578c0ad9ed418d57d9bb51bcd20.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\SysWOW64\NTdhcp.exe
  C:\Windows\system32\NTdhcp.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:3040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\Deleteme.bat
  2⤵
  - Deletes itself
  PID:2180

C:\Windows\Deleteme.bat

Filesize
184B

MD5
1ac5db7354832c49c3e8804a1297d7d3

SHA1
ac7bfff8f7f2befed4a2449ee6a55333cfdccaf0

SHA256
e22a01e7b5684edde87064fa210ff8c4816b446f4046adca31e6b86178980361

SHA512
f4204623381555eaa3a74394089ac65ba3a88ed0e099f883eb657e8f4945a23d44f86dc2fd0a5ea2a3e1a7500174ead831e6eae372691b99109a9b45a600d4ee

Download Submit
\Windows\SysWOW64\NTdhcp.exe

Filesize
24KB

MD5
432b9578c0ad9ed418d57d9bb51bcd20

SHA1
3910483a8d1e11140bb42f01c328361c451e5572

SHA256
98bc48acd900c6f06072b89c4e7e1bdb74b6c02e2aabfa9de65bff11955d807c

SHA512
3c326b27a320faa3e4a8076a8b967146c5c925cfcd69651a9dd4c550b06a6dd84500b6bbbcb976567fa7b5502420cb0383a3f2cb0af3ceda106a2e7015ce4c00

Download Submit
memory/2932-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2932-4-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/2932-21-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2932-11-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/2932-23-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/3040-14-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download