41962b362a77da8d852d92fd8137db03467e35b627f42e274031ed4b013e6691

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07/01/2024, 02:09

Target

44838a69dcab41b58ef35a3060386df0.exe
Size

36KB
MD5

44838a69dcab41b58ef35a3060386df0
SHA1

977d8947fa93d778f107819135129c48f00ef216
SHA256

41962b362a77da8d852d92fd8137db03467e35b627f42e274031ed4b013e6691
SHA512

ff043ce975089c17675ab0507fc737415d3d68917687d030bb374e3761c5b4aa00b67ffdf04cdbf823bb51f96641e1ef4783de457962d504a8c4fe755a64c5ec
SSDEEP

768:1mMqYQBLN7a2xrR1K8FnVuyJyB763Tf1jdooLG8KvSjyp:gMqYQBxljKEnmB763D1h/Kqjy

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2784	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3044	servet.exe

Loads dropped DLL 2 IoCs

pid	Process
2296	44838a69dcab41b58ef35a3060386df0.exe
2296	44838a69dcab41b58ef35a3060386df0.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\servet.exe	44838a69dcab41b58ef35a3060386df0.exe
File opened for modification	C:\Windows\SysWOW64\servet.exe	servet.exe
File created	C:\Windows\SysWOW64\Deledomn.bat	44838a69dcab41b58ef35a3060386df0.exe
File created	C:\Windows\SysWOW64\servet.exe	44838a69dcab41b58ef35a3060386df0.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 3044	2296	44838a69dcab41b58ef35a3060386df0.exe	30
PID 2296 wrote to memory of 3044	2296	44838a69dcab41b58ef35a3060386df0.exe	30
PID 2296 wrote to memory of 3044	2296	44838a69dcab41b58ef35a3060386df0.exe	30
PID 2296 wrote to memory of 3044	2296	44838a69dcab41b58ef35a3060386df0.exe	30
PID 2296 wrote to memory of 2784	2296	44838a69dcab41b58ef35a3060386df0.exe	29
PID 2296 wrote to memory of 2784	2296	44838a69dcab41b58ef35a3060386df0.exe	29
PID 2296 wrote to memory of 2784	2296	44838a69dcab41b58ef35a3060386df0.exe	29
PID 2296 wrote to memory of 2784	2296	44838a69dcab41b58ef35a3060386df0.exe	29

C:\Users\Admin\AppData\Local\Temp\44838a69dcab41b58ef35a3060386df0.exe
"C:\Users\Admin\AppData\Local\Temp\44838a69dcab41b58ef35a3060386df0.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deledomn.bat
  2⤵
  - Deletes itself
  PID:2784
- C:\Windows\SysWOW64\servet.exe
  C:\Windows\system32\servet.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:3044

C:\Windows\SysWOW64\Deledomn.bat

Filesize
184B

MD5
64f84163cb8b4a1f3d24ca2298667fa0

SHA1
d4f76dc00e844f32bc11f7016bfa862937990ba1

SHA256
176f02539c4104d2dd9cc64823147421b6050b58232475d573f55474b37eb031

SHA512
66d0ae8d5011f83e403406a36b7d9e6ae1344749b41b6195d51e9eeaad8befca3e8a2683fdb3ff5d30055e1c5ba01ac0dce12b7a06e7d988e94115f6c98b31a9

Download Submit
\Windows\SysWOW64\servet.exe

Filesize
36KB

MD5
44838a69dcab41b58ef35a3060386df0

SHA1
977d8947fa93d778f107819135129c48f00ef216

SHA256
41962b362a77da8d852d92fd8137db03467e35b627f42e274031ed4b013e6691

SHA512
ff043ce975089c17675ab0507fc737415d3d68917687d030bb374e3761c5b4aa00b67ffdf04cdbf823bb51f96641e1ef4783de457962d504a8c4fe755a64c5ec

Download Submit
memory/2296-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3044-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download