f07aecb3ba407fb0fd928086c56008de165b9a49732fca332aa6fb7a14c01d26

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/03/2024, 15:56

Target

bc3650f02c898c4338f8cda12e77f749.exe
Size

28KB
MD5

bc3650f02c898c4338f8cda12e77f749
SHA1

1d90666852d6fc0a423f87f25f49d04835c2af5b
SHA256

f07aecb3ba407fb0fd928086c56008de165b9a49732fca332aa6fb7a14c01d26
SHA512

5fb0d62e9f0fe14a806b8d0a2e1826f823fcf8fe8af03f8b338962a322921aad1bac8aa12e24086b7f82bd9e91b140cda02f00a8eb1a5d7fc935f20ad93c2d33
SSDEEP

384:2WVONPopN93OpZAdRywjnxGjHRVR5LsJSwELcaXs62TDD2Tg36R8vqReuSSQN+CO:cvwjxGbL4G1Xs62nqE6Cq/SD+Ctg

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2664	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1612	COM+ System

Loads dropped DLL 2 IoCs

pid	Process
2340	bc3650f02c898c4338f8cda12e77f749.exe
2340	bc3650f02c898c4338f8cda12e77f749.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\COM+ System	bc3650f02c898c4338f8cda12e77f749.exe
File opened for modification	C:\Windows\SysWOW64\COM+ System	bc3650f02c898c4338f8cda12e77f749.exe
File opened for modification	C:\Windows\SysWOW64\COM+ System	COM+ System
File created	C:\Windows\SysWOW64\Deledomn.bat	bc3650f02c898c4338f8cda12e77f749.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 1612	2340	bc3650f02c898c4338f8cda12e77f749.exe	28
PID 2340 wrote to memory of 1612	2340	bc3650f02c898c4338f8cda12e77f749.exe	28
PID 2340 wrote to memory of 1612	2340	bc3650f02c898c4338f8cda12e77f749.exe	28
PID 2340 wrote to memory of 1612	2340	bc3650f02c898c4338f8cda12e77f749.exe	28
PID 2340 wrote to memory of 2664	2340	bc3650f02c898c4338f8cda12e77f749.exe	29
PID 2340 wrote to memory of 2664	2340	bc3650f02c898c4338f8cda12e77f749.exe	29
PID 2340 wrote to memory of 2664	2340	bc3650f02c898c4338f8cda12e77f749.exe	29
PID 2340 wrote to memory of 2664	2340	bc3650f02c898c4338f8cda12e77f749.exe	29

C:\Users\Admin\AppData\Local\Temp\bc3650f02c898c4338f8cda12e77f749.exe
"C:\Users\Admin\AppData\Local\Temp\bc3650f02c898c4338f8cda12e77f749.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\SysWOW64\COM+ System
  "C:\Windows\system32\COM+ System"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1612
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deledomn.bat
  2⤵
  - Deletes itself
  PID:2664

C:\Windows\SysWOW64\COM+ System

Filesize
28KB

MD5
bc3650f02c898c4338f8cda12e77f749

SHA1
1d90666852d6fc0a423f87f25f49d04835c2af5b

SHA256
f07aecb3ba407fb0fd928086c56008de165b9a49732fca332aa6fb7a14c01d26

SHA512
5fb0d62e9f0fe14a806b8d0a2e1826f823fcf8fe8af03f8b338962a322921aad1bac8aa12e24086b7f82bd9e91b140cda02f00a8eb1a5d7fc935f20ad93c2d33

Download Submit
C:\Windows\SysWOW64\Deledomn.bat

Filesize
184B

MD5
b14dd89c8151e7909e1f916ccb7f3138

SHA1
9bac4b2abc9f1fb7edcf8501c9bced10ef3ac6a5

SHA256
01c046706d619b0868955bc832c749ca32c4e724ea084e8d882f7477845b6c2d

SHA512
5c52c2743a26f2660a234a2ecde5829005897d2be2e4ef367eb108965a40236abd6b5641acd656f3c2da3d2341f33b18c0793b649a41741520d55a6c1bc49cf8

Download Submit
memory/1612-15-0x0000000000400000-0x0000000000413030-memory.dmp

Filesize
76KB

Download
memory/1612-12-0x0000000000400000-0x0000000000413030-memory.dmp

Filesize
76KB

Download
memory/2340-22-0x0000000000400000-0x0000000000413030-memory.dmp

Filesize
76KB

Download
memory/2340-11-0x00000000004A0000-0x00000000004B4000-memory.dmp

Filesize
80KB

Download
memory/2340-4-0x00000000004A0000-0x00000000004B4000-memory.dmp

Filesize
80KB

Download
memory/2340-0-0x0000000000400000-0x0000000000413030-memory.dmp

Filesize
76KB

Download