e4ca7f18df4e1559ea90beb02cc444fef003e0094d0c451d1c4746a214dc2c52

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 14:03

Target

b794c2fb87319baa273d3701cfd97d00.exe
Size

301KB
MD5

b794c2fb87319baa273d3701cfd97d00
SHA1

1c705ed432e445fdd4c510589f170edbdbc08025
SHA256

e4ca7f18df4e1559ea90beb02cc444fef003e0094d0c451d1c4746a214dc2c52
SHA512

872fcf293ffbf5340fde9351d700b4d1d4e6ad7a38c429a950834cb15c94cbe2942fa3dd59b66fb3fd412cdef33a1aeec4fbc11fa9b55963d5ad12c1d8fb98b0
SSDEEP

6144:CUubI04hmcMTRiZ4mWl05WeaqGNJzM0bbxwzIT/pQNc:LubI04hRMTq4r0mrvwzItQN

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
468	ati

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ATI Technologies\ATI\date\ati	b794c2fb87319baa273d3701cfd97d00.exe
File opened for modification	C:\Program Files (x86)\ATI Technologies\ATI\date\ati	b794c2fb87319baa273d3701cfd97d00.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Delete.bat	b794c2fb87319baa273d3701cfd97d00.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
468	ati

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4684 wrote to memory of 2244	4684	b794c2fb87319baa273d3701cfd97d00.exe	94
PID 4684 wrote to memory of 2244	4684	b794c2fb87319baa273d3701cfd97d00.exe	94
PID 4684 wrote to memory of 2244	4684	b794c2fb87319baa273d3701cfd97d00.exe	94
PID 468 wrote to memory of 1504	468	ati	93
PID 468 wrote to memory of 1504	468	ati	93

C:\Users\Admin\AppData\Local\Temp\b794c2fb87319baa273d3701cfd97d00.exe
"C:\Users\Admin\AppData\Local\Temp\b794c2fb87319baa273d3701cfd97d00.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\Delete.bat
  2⤵
  PID:2244

C:\Program Files (x86)\ATI Technologies\ATI\date\ati
"C:\Program Files (x86)\ATI Technologies\ATI\date\ati"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:468
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1504

C:\Program Files (x86)\ATI Technologies\ATI\date\ati

Filesize
301KB

MD5
b794c2fb87319baa273d3701cfd97d00

SHA1
1c705ed432e445fdd4c510589f170edbdbc08025

SHA256
e4ca7f18df4e1559ea90beb02cc444fef003e0094d0c451d1c4746a214dc2c52

SHA512
872fcf293ffbf5340fde9351d700b4d1d4e6ad7a38c429a950834cb15c94cbe2942fa3dd59b66fb3fd412cdef33a1aeec4fbc11fa9b55963d5ad12c1d8fb98b0

Download Submit
C:\Windows\Delete.bat

Filesize
186B

MD5
49e05ec2317537afab74dc8e3f5b00ed

SHA1
ff4f356b1259198ddfa5eacb6dc01666692ca1fe

SHA256
fd0d87cf3748a3b44b39525abaf395a9afcfc897aa1b13ae0fb4739b441dc365

SHA512
5f3401863e914c43eb9a866ba141f2025d1746ece59e524deb8a1668f5fa3689ea8b2ef9e824de919d33cf007471eaa725da22983fb6e33db1e19e0f97b33418

Download Submit
memory/468-8-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/468-11-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/468-13-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/4684-0-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4684-3-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/4684-9-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download