94396988625f888ae1b70daae2085d0720de931f2a5613bba920de21769a5027

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14-01-2024 02:10

Target

5a0158574ddf408e8adc686466db6790.exe
Size

910KB
MD5

5a0158574ddf408e8adc686466db6790
SHA1

f4dc209d1c35b11c1d92645f631a2cd5376d7d93
SHA256

94396988625f888ae1b70daae2085d0720de931f2a5613bba920de21769a5027
SHA512

c7ee8143f501ec94928051ff54730efdd1cab3a582bf9a643cdf417bc3ca566904831a51136f88eb3561c4e4db38edc333e0aad97225c83fc635e941a7435b7b
SSDEEP

24576:fQJfqPKjHBmUmOSS3LGxBvnYLOvvItxL1:fAvQESSbqRivxB

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2816	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2284	iiexplorer.exe

Loads dropped DLL 2 IoCs

pid	Process
2876	5a0158574ddf408e8adc686466db6790.exe
2876	5a0158574ddf408e8adc686466db6790.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Deleteme.bat	5a0158574ddf408e8adc686466db6790.exe
File created	C:\Windows\SysWOW64\iiexplorer.exe	5a0158574ddf408e8adc686466db6790.exe
File opened for modification	C:\Windows\SysWOW64\iiexplorer.exe	5a0158574ddf408e8adc686466db6790.exe
File opened for modification	C:\Windows\SysWOW64\iiexplorer.exe	iiexplorer.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2284	2876	5a0158574ddf408e8adc686466db6790.exe	28
PID 2876 wrote to memory of 2284	2876	5a0158574ddf408e8adc686466db6790.exe	28
PID 2876 wrote to memory of 2284	2876	5a0158574ddf408e8adc686466db6790.exe	28
PID 2876 wrote to memory of 2284	2876	5a0158574ddf408e8adc686466db6790.exe	28
PID 2876 wrote to memory of 2816	2876	5a0158574ddf408e8adc686466db6790.exe	29
PID 2876 wrote to memory of 2816	2876	5a0158574ddf408e8adc686466db6790.exe	29
PID 2876 wrote to memory of 2816	2876	5a0158574ddf408e8adc686466db6790.exe	29
PID 2876 wrote to memory of 2816	2876	5a0158574ddf408e8adc686466db6790.exe	29

C:\Users\Admin\AppData\Local\Temp\5a0158574ddf408e8adc686466db6790.exe
"C:\Users\Admin\AppData\Local\Temp\5a0158574ddf408e8adc686466db6790.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\iiexplorer.exe
  C:\Windows\system32\iiexplorer.exe -NetSata
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2284
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deleteme.bat
  2⤵
  - Deletes itself
  PID:2816

C:\Windows\SysWOW64\Deleteme.bat

Filesize
184B

MD5
0eed0f73cbaf9bd57cc66148e4fb0a9a

SHA1
3d22299560bb37172f73c8477278ec1cb8994a91

SHA256
9f4ce3c9e8904605565fe502e5cecbc0dea018ec1610a43a90aef5a29a85d11d

SHA512
c5c401a66da3239c43a5971be9dce0e4af2ad8794cc6e2d6120e17b3d5465fe3ec579cb5be2d3df6352f0fad299fb84eae70a54b1906c8e8e3538d9735a29ad5

Download Submit
\Windows\SysWOW64\iiexplorer.exe

Filesize
910KB

MD5
5a0158574ddf408e8adc686466db6790

SHA1
f4dc209d1c35b11c1d92645f631a2cd5376d7d93

SHA256
94396988625f888ae1b70daae2085d0720de931f2a5613bba920de21769a5027

SHA512
c7ee8143f501ec94928051ff54730efdd1cab3a582bf9a643cdf417bc3ca566904831a51136f88eb3561c4e4db38edc333e0aad97225c83fc635e941a7435b7b

Download Submit
memory/2284-11-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2284-13-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2876-2-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2876-20-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download