39eaca6a929ff3b1991b96bbd7b522541a74ad2559397793cebd1808eaf2632e

Analysis

max time kernel
144s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2024 02:11

Target

52411c495b4db5cc8e9a271b9581d075.exe
Size

76KB
MD5

52411c495b4db5cc8e9a271b9581d075
SHA1

e3dc21917b919ec6c8040911cf7b4ddf13df2325
SHA256

39eaca6a929ff3b1991b96bbd7b522541a74ad2559397793cebd1808eaf2632e
SHA512

4202c130d0a52fec29389653eae606d692230577ee9a9425d5cdf4d65479a0e12c44970bed1bc2e39e38ddd8e60f1504646dea8316e6bc5619c499ddf9899ffa
SSDEEP

1536:lU4rR6SkYvT/fFBn4Gz6us4IM5aKAoLbBqQFmd:xrsj03T4Pus/CTAoLbBqd

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
3252	galle.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\galle.exe	52411c495b4db5cc8e9a271b9581d075.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2696 set thread context of 3252	2696	52411c495b4db5cc8e9a271b9581d075.exe	21

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2696	52411c495b4db5cc8e9a271b9581d075.exe
2696	52411c495b4db5cc8e9a271b9581d075.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2696	52411c495b4db5cc8e9a271b9581d075.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 3252	2696	52411c495b4db5cc8e9a271b9581d075.exe	21
PID 2696 wrote to memory of 3252	2696	52411c495b4db5cc8e9a271b9581d075.exe	21
PID 2696 wrote to memory of 3252	2696	52411c495b4db5cc8e9a271b9581d075.exe	21
PID 2696 wrote to memory of 3252	2696	52411c495b4db5cc8e9a271b9581d075.exe	21
PID 2696 wrote to memory of 3252	2696	52411c495b4db5cc8e9a271b9581d075.exe	21
PID 2696 wrote to memory of 3252	2696	52411c495b4db5cc8e9a271b9581d075.exe	21
PID 2696 wrote to memory of 3252	2696	52411c495b4db5cc8e9a271b9581d075.exe	21

C:\Users\Admin\AppData\Local\Temp\52411c495b4db5cc8e9a271b9581d075.exe
"C:\Users\Admin\AppData\Local\Temp\52411c495b4db5cc8e9a271b9581d075.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\SysWOW64\galle.exe
  C:\Windows\system32\galle.exe
  2⤵
  - Executes dropped EXE
  PID:3252

C:\Windows\SysWOW64\galle.exe

Filesize
20KB

MD5
8abe3fcfe0791df040abbe85c03a6c97

SHA1
01d4ac44a4ba9edd9998f8be0ec1354c3df511c4

SHA256
986b81412273a2cb454db21088ebc13e7db11af08f1cb9b6eb00ec379a604e91

SHA512
c6e48e50a7045bb5a56d67722d2087a244d47bed5dec4dfb19140cf9cd43d1990344aae24354417452f37ba35611233ad5e28f41d174b7e0a7268ae891ff7c57

Download Submit
memory/2696-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2696-12-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3252-11-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3252-14-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/3252-13-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3252-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3252-5-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download