5790197a67a3ff0dea89b128a704fe0f6e16df95509ffa972cf95d69792539c8

Analysis

max time kernel
135s
max time network
143s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 03:07

Target

96161c05b0a77109a14f40d98e9dd9d6.exe
Size

64KB
MD5

96161c05b0a77109a14f40d98e9dd9d6
SHA1

e80438e8fe21a523aa1c51635df0f4b8653a6199
SHA256

5790197a67a3ff0dea89b128a704fe0f6e16df95509ffa972cf95d69792539c8
SHA512

7018b96248b375ab59649c8d7a09274bb6b3bbf8405b00b60f103f180248f8a9fa00ae021f3cc0124d107c54e56a64b86f6a126cc672c0a3ba52737671eeb343
SSDEEP

1536:JkJTckW3JJd2urOrJZo+ikVDE1qbmlfnESu:JkWOuar5lDbqdEp

Score

7^/10

Deletes itself 1 IoCs

pid	Process
948	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2856	vmnipktu.exe

Loads dropped DLL 2 IoCs

pid	Process
1752	96161c05b0a77109a14f40d98e9dd9d6.exe
1752	96161c05b0a77109a14f40d98e9dd9d6.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1752	96161c05b0a77109a14f40d98e9dd9d6.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2856	1752	96161c05b0a77109a14f40d98e9dd9d6.exe	31
PID 1752 wrote to memory of 2856	1752	96161c05b0a77109a14f40d98e9dd9d6.exe	31
PID 1752 wrote to memory of 2856	1752	96161c05b0a77109a14f40d98e9dd9d6.exe	31
PID 1752 wrote to memory of 2856	1752	96161c05b0a77109a14f40d98e9dd9d6.exe	31
PID 1752 wrote to memory of 948	1752	96161c05b0a77109a14f40d98e9dd9d6.exe	32
PID 1752 wrote to memory of 948	1752	96161c05b0a77109a14f40d98e9dd9d6.exe	32
PID 1752 wrote to memory of 948	1752	96161c05b0a77109a14f40d98e9dd9d6.exe	32
PID 1752 wrote to memory of 948	1752	96161c05b0a77109a14f40d98e9dd9d6.exe	32

C:\Users\Admin\AppData\Local\Temp\96161c05b0a77109a14f40d98e9dd9d6.exe
"C:\Users\Admin\AppData\Local\Temp\96161c05b0a77109a14f40d98e9dd9d6.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1752
- C:\ProgramData\dmxutcbi\vmnipktu.exe
  C:\ProgramData\dmxutcbi\vmnipktu.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\SysWOW64\cmd.exe
  /c del /f C:\Users\Admin\AppData\Local\Temp\96161C~1.EXE.bak >> NUL
  2⤵
  - Deletes itself
  PID:948

\ProgramData\dmxutcbi\vmnipktu.exe

Filesize
64KB

MD5
96161c05b0a77109a14f40d98e9dd9d6

SHA1
e80438e8fe21a523aa1c51635df0f4b8653a6199

SHA256
5790197a67a3ff0dea89b128a704fe0f6e16df95509ffa972cf95d69792539c8

SHA512
7018b96248b375ab59649c8d7a09274bb6b3bbf8405b00b60f103f180248f8a9fa00ae021f3cc0124d107c54e56a64b86f6a126cc672c0a3ba52737671eeb343

Download Submit