b076b25c9a5953176518044928931898336fa50f086d04c84f05c6cc40d9a1a6

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-01-2024 17:36

Target

7d97bf536bc89cec23cf9d03d2f4d932.exe
Size

52KB
MD5

7d97bf536bc89cec23cf9d03d2f4d932
SHA1

58ce50c0369a70f9412b9ca1e864e94317fa5270
SHA256

b076b25c9a5953176518044928931898336fa50f086d04c84f05c6cc40d9a1a6
SHA512

1a5fd131f93e60f9289ecf454c4e069f4a1f4a8718736158ff13f7c8c7a17a656687219ffeecaa28e37c27222e61b56c9ef06aff9cf746761eb4d320f540774e
SSDEEP

1536:/CqlZmQN60asZa4vIqZjQeBdVAjL/0yKY:Mo6Ga4JjvTiL/0tY

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2232	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\inf\mssz420.dll	7d97bf536bc89cec23cf9d03d2f4d932.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC3C5BA1-D54F-40D5-A11F-E424E5F9E767}\	7d97bf536bc89cec23cf9d03d2f4d932.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC3C5BA1-D54F-40D5-A11F-E424E5F9E767}\InProcServer32	7d97bf536bc89cec23cf9d03d2f4d932.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC3C5BA1-D54F-40D5-A11F-E424E5F9E767}\InProcServer32\ = "C:\\WINDOWS\\inf\\mssz420.dll"	7d97bf536bc89cec23cf9d03d2f4d932.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC3C5BA1-D54F-40D5-A11F-E424E5F9E767}\InProcServer32\ThreadingModel = "Apartment"	7d97bf536bc89cec23cf9d03d2f4d932.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC3C5BA1-D54F-40D5-A11F-E424E5F9E767}	7d97bf536bc89cec23cf9d03d2f4d932.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 2232	1080	7d97bf536bc89cec23cf9d03d2f4d932.exe	29
PID 1080 wrote to memory of 2232	1080	7d97bf536bc89cec23cf9d03d2f4d932.exe	29
PID 1080 wrote to memory of 2232	1080	7d97bf536bc89cec23cf9d03d2f4d932.exe	29
PID 1080 wrote to memory of 2232	1080	7d97bf536bc89cec23cf9d03d2f4d932.exe	29

C:\Users\Admin\AppData\Local\Temp\7d97bf536bc89cec23cf9d03d2f4d932.exe
"C:\Users\Admin\AppData\Local\Temp\7d97bf536bc89cec23cf9d03d2f4d932.exe"
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c delself.bat
  2⤵
  - Deletes itself
  PID:2232

C:\Users\Admin\AppData\Local\Temp\delself.bat

Filesize
50B

MD5
7f37df279faf4c946b634c67dfc0c8cd

SHA1
0decc1e05e3db2d6e45424771a69ee5751dbd60e

SHA256
7181ba21ef4f9b970e93eb20b7be47cd84d4c33fae695686536447c5fb9a8f69

SHA512
3128c656838fe136ece086c20bbe950fa9110d2260c7cc40fc52dda53053d8ca93fbd7569deb673f35d01629038c7a4f5e89be7cb1b3e0b48b3d349a218293ee

Download Submit
memory/1080-8-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download