951b106ff78ed86d30a06e4d957b4288156d193a900f0f94e46881ae4997b4a1

Analysis

max time kernel
152s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08/01/2024, 20:09

Target

f90c5a9cfe379200fb6053cddfcf437c.exe
Size

61KB
MD5

f90c5a9cfe379200fb6053cddfcf437c
SHA1

8549b95d86d7d93b99d881cb7e3904f24ce66c5b
SHA256

951b106ff78ed86d30a06e4d957b4288156d193a900f0f94e46881ae4997b4a1
SHA512

dfd0cab171ca8ba22ea8f8452fdcde22024ac6725279dc2d9b3161a185c0875b73f2d0aef3be3b3d4dd1e40ade12ccd2bf2aff1e4ddd69fa9bbc9e78902aefd9
SSDEEP

1536:Sttdse4OcUmWQIvEPZo6E5sEFd29NQgA2wnle5:Cdse4OlQZo6EKEFdGM2+le5

Score

7^/10

Executes dropped EXE 3 IoCs

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\viesazm.mpk	ewiuer2.exe
File created	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\viesazm.mpk	ewiuer2.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 4372	2656	f90c5a9cfe379200fb6053cddfcf437c.exe	91
PID 2656 wrote to memory of 4372	2656	f90c5a9cfe379200fb6053cddfcf437c.exe	91
PID 2656 wrote to memory of 4372	2656	f90c5a9cfe379200fb6053cddfcf437c.exe	91
PID 4372 wrote to memory of 4504	4372	ewiuer2.exe	103
PID 4372 wrote to memory of 4504	4372	ewiuer2.exe	103
PID 4372 wrote to memory of 4504	4372	ewiuer2.exe	103
PID 4504 wrote to memory of 3448	4504	ewiuer2.exe	110
PID 4504 wrote to memory of 3448	4504	ewiuer2.exe	110
PID 4504 wrote to memory of 3448	4504	ewiuer2.exe	110

C:\Users\Admin\AppData\Local\Temp\f90c5a9cfe379200fb6053cddfcf437c.exe
"C:\Users\Admin\AppData\Local\Temp\f90c5a9cfe379200fb6053cddfcf437c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\SysWOW64\ewiuer2.exe
    C:\Windows\System32\ewiuer2.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4504
  - - C:\Windows\SysWOW64\ewiuer2.exe
      C:\Windows\SysWOW64\ewiuer2.exe /nomove
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:3448

C:\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
61KB

MD5
5f17b01a57854497cdf89cabd627a351

SHA1
a3fbbca1b844990e0b70d5e7ecc8efa6d2718cf7

SHA256
c076cf38e8a9b28a7c81f658fceefa5ed423920caec0dbc0e397e1022779364a

SHA512
8068d145decfae807f3758527cac5218bd50b39c667573479f975176c39a123e9ba1d341bad3d9434b4039cabc5de7d968d377efc6529fcd76a98058e4e9224d

Download Submit
C:\Windows\SysWOW64\ewiuer2.exe

Filesize
61KB

MD5
ada2454b081452d4be5756ef9951e233

SHA1
93149b332703f44b8763c72c9b0d5d7250b1b8fe

SHA256
36db2ada0c3ea3df533c204d633909d472c9ea4ffcdae51af132b9bd722f7841

SHA512
fc59492b665fd8ba906eebd45e9f0ea108842737221581db99119d538b12f63e0f076de090c2c8acdc37045434037f4b68daa14e1c1b1de386a272628c187d40

Download Submit