6bab347d6a9bc0755ff1cb0916a506227a0407716b3d741bd3b71608a717d9f7

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/03/2024, 20:00

Target

6bab347d6a9bc0755ff1cb0916a506227a0407716b3d741bd3b71608a717d9f7.exe
Size

73KB
MD5

656725bddd1a647859c587983f58c812
SHA1

7dc4e4436c1257496cbbbb63f776f03fe533a5ab
SHA256

6bab347d6a9bc0755ff1cb0916a506227a0407716b3d741bd3b71608a717d9f7
SHA512

4b0516f23195860b182f865ef1fb6dd66d7c02c9dbe43b6935f4fd04762f189617a8e551dc9f698d85c43f6b9038c9963fe9a7b88cca4dd08226aa4ab1a06156
SSDEEP

1536:hbbhvDD8qtK5QPqfhVWbdsmA+RjPFLC+e5hyy0ZGUGf2g:h57LNPqfcxA+HFshbOg

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
1792	[email protected]

Loads dropped DLL 2 IoCs

pid	Process
1712	cmd.exe
1712	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 1712	880	6bab347d6a9bc0755ff1cb0916a506227a0407716b3d741bd3b71608a717d9f7.exe	29
PID 880 wrote to memory of 1712	880	6bab347d6a9bc0755ff1cb0916a506227a0407716b3d741bd3b71608a717d9f7.exe	29
PID 880 wrote to memory of 1712	880	6bab347d6a9bc0755ff1cb0916a506227a0407716b3d741bd3b71608a717d9f7.exe	29
PID 880 wrote to memory of 1712	880	6bab347d6a9bc0755ff1cb0916a506227a0407716b3d741bd3b71608a717d9f7.exe	29
PID 1712 wrote to memory of 1792	1712	cmd.exe	30
PID 1712 wrote to memory of 1792	1712	cmd.exe	30
PID 1712 wrote to memory of 1792	1712	cmd.exe	30
PID 1712 wrote to memory of 1792	1712	cmd.exe	30
PID 1792 wrote to memory of 1556	1792	[email protected]	31
PID 1792 wrote to memory of 1556	1792	[email protected]	31
PID 1792 wrote to memory of 1556	1792	[email protected]	31
PID 1792 wrote to memory of 1556	1792	[email protected]	31

C:\Users\Admin\AppData\Local\Temp\6bab347d6a9bc0755ff1cb0916a506227a0407716b3d741bd3b71608a717d9f7.exe
"C:\Users\Admin\AppData\Local\Temp\6bab347d6a9bc0755ff1cb0916a506227a0407716b3d741bd3b71608a717d9f7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 00.exe
      4⤵
      PID:1556

C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
73KB

MD5
ce8fcc84e951869b04d7407226d5890b

SHA1
f2d326a4b430f8c0d1ac169a17f545cccd7f827a

SHA256
e3fedcea5899ad88d3ef50bafea0883939ebc77a7d9d49ac54a770bb97613ffe

SHA512
f85fe681d33bd72de9dd961185f77cfe7c4778e522911968e98fef9685830bd8250ce027f61584f28995e1ddb73c24df2862688280ece3b30451ae4cfcd259d0

Download Submit
memory/880-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1792-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download