2cf13d26347da2c0d0e134bc200d361bdb3156e68734e82f21688cb6860b1798

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04-02-2024 15:23

Target

Spy Note 6.4/Resources/Imports/Payload/SL.exe
Size

1.5MB
MD5

2eabc8a774c544e9b6e23ba1b83ed783
SHA1

a880005b4f619e004f4d9adcce2a9612112c26b2
SHA256

0080743a4364b8e5d8ec6a19010ee12dc79fcf815f592db639af262420ada0f8
SHA512

ed8cd1ec97e0954715c81c284bbc2751340a7933511862cda65e72be35fdd9d4a8693066f3023025f92b06c845173c2e5da6f4d88a3e97c62c640643dff475a9
SSDEEP

768:1KSAOfhZXvSzjWKDIp93ZZwpZpTQdBHiF7QHsIMd3uDzZuFs+mk:nrfhZXvSzjWb5wz16S7l9eDzZu7

Score

1^/10

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

SL.exe

description	pid	process	target process
PID 2544 wrote to memory of 1416	2544	SL.exe	WerFault.exe
PID 2544 wrote to memory of 1416	2544	SL.exe	WerFault.exe
PID 2544 wrote to memory of 1416	2544	SL.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Spy Note 6.4\Resources\Imports\Payload\SL.exe
"C:\Users\Admin\AppData\Local\Temp\Spy Note 6.4\Resources\Imports\Payload\SL.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2544 -s 788
2⤵
PID:1416

memory/2544-0-0x0000000000340000-0x00000000004CC000-memory.dmp

Filesize
1.5MB

Download
memory/2544-1-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp

Filesize
9.9MB

Download
memory/2544-2-0x000000001AE40000-0x000000001AEC0000-memory.dmp

Filesize
512KB

Download
memory/2544-3-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp

Filesize
9.9MB

Download