adbed78c70d3a22445e33a1fe519593410ad1a4be6ff6ac59c1478fefc11ebe3

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 09:38

Target

8c00362d43df530aeab841dc38a254f1.exe
Size

20KB
MD5

8c00362d43df530aeab841dc38a254f1
SHA1

a16b72eb628b859410dbd877629bd95fe8f70343
SHA256

adbed78c70d3a22445e33a1fe519593410ad1a4be6ff6ac59c1478fefc11ebe3
SHA512

f548b7c7eaba21d95600648774399e0c39196b854ee50ee0d52f6c8be5d9bb6b1767a10c11e3affd415557ea8a714abb239604a7c0523913e5ab1017e7f6de27
SSDEEP

384:7yakQIZjeQM8athtznBpjh1TxxFxM8T5jx+aNJawcudoD7Us8oYQJ2ba8:7yeeWfpl1TxD2s5jFnbcuyD7Us1In

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2780	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2332	system32.exe

Loads dropped DLL 2 IoCs

pid	Process
2256	8c00362d43df530aeab841dc38a254f1.exe
2256	8c00362d43df530aeab841dc38a254f1.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Deledomn.bat	8c00362d43df530aeab841dc38a254f1.exe
File created	C:\Windows\SysWOW64\system32.exe	8c00362d43df530aeab841dc38a254f1.exe
File opened for modification	C:\Windows\SysWOW64\system32.exe	8c00362d43df530aeab841dc38a254f1.exe
File opened for modification	C:\Windows\SysWOW64\system32.exe	system32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2332	2256	8c00362d43df530aeab841dc38a254f1.exe	28
PID 2256 wrote to memory of 2332	2256	8c00362d43df530aeab841dc38a254f1.exe	28
PID 2256 wrote to memory of 2332	2256	8c00362d43df530aeab841dc38a254f1.exe	28
PID 2256 wrote to memory of 2332	2256	8c00362d43df530aeab841dc38a254f1.exe	28
PID 2256 wrote to memory of 2780	2256	8c00362d43df530aeab841dc38a254f1.exe	29
PID 2256 wrote to memory of 2780	2256	8c00362d43df530aeab841dc38a254f1.exe	29
PID 2256 wrote to memory of 2780	2256	8c00362d43df530aeab841dc38a254f1.exe	29
PID 2256 wrote to memory of 2780	2256	8c00362d43df530aeab841dc38a254f1.exe	29

C:\Users\Admin\AppData\Local\Temp\8c00362d43df530aeab841dc38a254f1.exe
"C:\Users\Admin\AppData\Local\Temp\8c00362d43df530aeab841dc38a254f1.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\SysWOW64\system32.exe
  C:\Windows\system32\system32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deledomn.bat
  2⤵
  - Deletes itself
  PID:2780

C:\Windows\SysWOW64\Deledomn.bat

Filesize
184B

MD5
3c158f63830ca939140d9edf69a65e51

SHA1
846226a4c95045e3897e10996703716822c4f064

SHA256
33edcaab3c5cab16ebbc5c69b1e03a5f6ff895d442e4c2dcc15775ef630d340d

SHA512
2dc5bb0491fbbf284750bb3d70221c95e9053ac5f544d0b162039c8afed105ccef940ebc97729569a07437d59942cf6cb932fd4f082e921a64f17c64338946d9

Download Submit
\Windows\SysWOW64\system32.exe

Filesize
20KB

MD5
8c00362d43df530aeab841dc38a254f1

SHA1
a16b72eb628b859410dbd877629bd95fe8f70343

SHA256
adbed78c70d3a22445e33a1fe519593410ad1a4be6ff6ac59c1478fefc11ebe3

SHA512
f548b7c7eaba21d95600648774399e0c39196b854ee50ee0d52f6c8be5d9bb6b1767a10c11e3affd415557ea8a714abb239604a7c0523913e5ab1017e7f6de27

Download Submit
memory/2256-3-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2256-2-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2256-22-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2332-11-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2332-13-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download