ca1f68315c7bc7f741cd20ecb3ffac79dd8c9b21bfc0dda1869ec51730fc9338

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-03-2024 23:09

Target

ca1f68315c7bc7f741cd20ecb3ffac79dd8c9b21bfc0dda1869ec51730fc9338.exe
Size

73KB
MD5

331b8653fe1c0e75a5b0257f51776f5e
SHA1

b5bc4dca77b2326609b6eae5813b998b2c4997bc
SHA256

ca1f68315c7bc7f741cd20ecb3ffac79dd8c9b21bfc0dda1869ec51730fc9338
SHA512

53832b5cc70daa355d7aedf232ac0e6139c479ce522add998a557fe594445df03a2165220522f6a3595a7f1977a6a6fcbe1daec4811867c0559bc368a3d5af27
SSDEEP

1536:hbLvRJ+Q0re1apK5QPqfhVWbdsmA+RjPFLC+e5heD0ZGUGf2g:hnPHCNPqfcxA+HFshsOg

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
3884	[email protected]

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4212 wrote to memory of 2444	4212	ca1f68315c7bc7f741cd20ecb3ffac79dd8c9b21bfc0dda1869ec51730fc9338.exe	89
PID 4212 wrote to memory of 2444	4212	ca1f68315c7bc7f741cd20ecb3ffac79dd8c9b21bfc0dda1869ec51730fc9338.exe	89
PID 4212 wrote to memory of 2444	4212	ca1f68315c7bc7f741cd20ecb3ffac79dd8c9b21bfc0dda1869ec51730fc9338.exe	89
PID 2444 wrote to memory of 3884	2444	cmd.exe	90
PID 2444 wrote to memory of 3884	2444	cmd.exe	90
PID 2444 wrote to memory of 3884	2444	cmd.exe	90
PID 3884 wrote to memory of 920	3884	[email protected]	91
PID 3884 wrote to memory of 920	3884	[email protected]	91
PID 3884 wrote to memory of 920	3884	[email protected]	91

C:\Users\Admin\AppData\Local\Temp\ca1f68315c7bc7f741cd20ecb3ffac79dd8c9b21bfc0dda1869ec51730fc9338.exe
"C:\Users\Admin\AppData\Local\Temp\ca1f68315c7bc7f741cd20ecb3ffac79dd8c9b21bfc0dda1869ec51730fc9338.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 00.exe
      4⤵
      PID:920

C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
73KB

MD5
73efa8a82b72a916f386b6c6d7bd57cd

SHA1
c2a48788c81d470f6d2b0b62644a6781fef6026f

SHA256
c8bf5280cd3f9d9d19e65c7ea3674cb4ccc026343019ba3378cf2ed89650d89d

SHA512
8f9d2a2b07b8f23e60de94f0e4fb8b01179c7e4976b68977cacf4272b36307842fe61c3341d08d35e703c06e0957769d8b81587e8f1b74fcf8e0d857070891b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\00.exe

Filesize
2KB

MD5
7b621943a35e7f39cf89f50cc48d7b94

SHA1
2858a28cf60f38025fffcd0ba2ecfec8511c197d

SHA256
bef04c2f89dc115ce2763558933dba1767bf30cda6856d335ae68955923f9991

SHA512
4169e664ad4e7e6891a05ceed78465e0ec44879b37fc0de97c014945e10c161f6bfb040efc24edc136e69bb115b2a1327b04cefb58141f712da856129872e8f1

Download Submit
memory/3884-7-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4212-8-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download