27d9635403cc16cc7b192ceb00c795ae23d9706b7f837fbdf60cd8e5df744db3

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/03/2024, 18:26

Target

27d9635403cc16cc7b192ceb00c795ae23d9706b7f837fbdf60cd8e5df744db3.exe
Size

73KB
MD5

8c1370f7173db4659306a754e990c079
SHA1

e07afced8b4709af2d728aeacee4b1d8dd67ce4e
SHA256

27d9635403cc16cc7b192ceb00c795ae23d9706b7f837fbdf60cd8e5df744db3
SHA512

387a31f31b3c390d37bdb5874bc2b07049fe238554067898e64f2f621f54fb04f025096d475e6e2b21ee9c3a913f03337de1886f511395eb121c5a9d7f759d74
SSDEEP

1536:hbI582rcx0GK5QPqfhVWbdsmA+RjPFLC+e5hx0ZGUGf2g:hYAx0GNPqfcxA+HFshxOg

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
1896	[email protected]

Loads dropped DLL 2 IoCs

pid	Process
2032	cmd.exe
2032	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2032	2072	27d9635403cc16cc7b192ceb00c795ae23d9706b7f837fbdf60cd8e5df744db3.exe	29
PID 2072 wrote to memory of 2032	2072	27d9635403cc16cc7b192ceb00c795ae23d9706b7f837fbdf60cd8e5df744db3.exe	29
PID 2072 wrote to memory of 2032	2072	27d9635403cc16cc7b192ceb00c795ae23d9706b7f837fbdf60cd8e5df744db3.exe	29
PID 2072 wrote to memory of 2032	2072	27d9635403cc16cc7b192ceb00c795ae23d9706b7f837fbdf60cd8e5df744db3.exe	29
PID 2032 wrote to memory of 1896	2032	cmd.exe	30
PID 2032 wrote to memory of 1896	2032	cmd.exe	30
PID 2032 wrote to memory of 1896	2032	cmd.exe	30
PID 2032 wrote to memory of 1896	2032	cmd.exe	30
PID 1896 wrote to memory of 2012	1896	[email protected]	31
PID 1896 wrote to memory of 2012	1896	[email protected]	31
PID 1896 wrote to memory of 2012	1896	[email protected]	31
PID 1896 wrote to memory of 2012	1896	[email protected]	31

C:\Users\Admin\AppData\Local\Temp\27d9635403cc16cc7b192ceb00c795ae23d9706b7f837fbdf60cd8e5df744db3.exe
"C:\Users\Admin\AppData\Local\Temp\27d9635403cc16cc7b192ceb00c795ae23d9706b7f837fbdf60cd8e5df744db3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 16256.exe
      4⤵
      PID:2012

\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
73KB

MD5
ca02bd4b913079a6db2a90b0cec8ba27

SHA1
3a22ec184087a3233fa82a79247114f3671482a5

SHA256
1015045b018463ddf0a765ed26d78cf0271a649956dbbeb52e204e5b13ac37b5

SHA512
a820ea54f03c51893584a56779d47e718407a9397f3148d3c7de22b4b8c4430b9886dbc309b5f5f1c949a7aa0657760016ae20fe72cc2058432bdcbc315a2e4f

Download Submit
memory/1896-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2072-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download