563987753349e571457d03bac79b9f22f256252e5422c491ece652d23ba780a7

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/03/2024, 07:40

Target

be0bd90caef0637636d4c99b336e5da0.exe
Size

52KB
MD5

be0bd90caef0637636d4c99b336e5da0
SHA1

2a2469e542661a6cf1fdcb208f0e41006bbfa493
SHA256

563987753349e571457d03bac79b9f22f256252e5422c491ece652d23ba780a7
SHA512

650e7b2d660c20436a06b578f81fd65085df80f9fc59a566ba72b9bbe7fa575debc018ca47de765d4d2e9dd4f9677f5c6c72963abcbc516dc816cc8f0ffd1bf3
SSDEEP

768:aU7vicnZNkr6gw5USjtxDxV9GDAppPjursPCOy/nOdf5R8LLjrZ6Y1XM:aUvi+NkruZDdV9oApj3rSLPZ6

Score

7^/10

Deletes itself 1 IoCs

pid	Process
1776	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2624	gjifergz.exe

Loads dropped DLL 2 IoCs

pid	Process
1420	be0bd90caef0637636d4c99b336e5da0.exe
1420	be0bd90caef0637636d4c99b336e5da0.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1420	be0bd90caef0637636d4c99b336e5da0.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 2624	1420	be0bd90caef0637636d4c99b336e5da0.exe	31
PID 1420 wrote to memory of 2624	1420	be0bd90caef0637636d4c99b336e5da0.exe	31
PID 1420 wrote to memory of 2624	1420	be0bd90caef0637636d4c99b336e5da0.exe	31
PID 1420 wrote to memory of 2624	1420	be0bd90caef0637636d4c99b336e5da0.exe	31
PID 1420 wrote to memory of 1776	1420	be0bd90caef0637636d4c99b336e5da0.exe	32
PID 1420 wrote to memory of 1776	1420	be0bd90caef0637636d4c99b336e5da0.exe	32
PID 1420 wrote to memory of 1776	1420	be0bd90caef0637636d4c99b336e5da0.exe	32
PID 1420 wrote to memory of 1776	1420	be0bd90caef0637636d4c99b336e5da0.exe	32

C:\Users\Admin\AppData\Local\Temp\be0bd90caef0637636d4c99b336e5da0.exe
"C:\Users\Admin\AppData\Local\Temp\be0bd90caef0637636d4c99b336e5da0.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1420
- C:\ProgramData\etuxgfix\gjifergz.exe
  C:\ProgramData\etuxgfix\gjifergz.exe
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\SysWOW64\cmd.exe
  /c del /f C:\Users\Admin\AppData\Local\Temp\BE0BD9~1.EXE.bak >> NUL
  2⤵
  - Deletes itself
  PID:1776

\ProgramData\etuxgfix\gjifergz.exe

Filesize
52KB

MD5
be0bd90caef0637636d4c99b336e5da0

SHA1
2a2469e542661a6cf1fdcb208f0e41006bbfa493

SHA256
563987753349e571457d03bac79b9f22f256252e5422c491ece652d23ba780a7

SHA512
650e7b2d660c20436a06b578f81fd65085df80f9fc59a566ba72b9bbe7fa575debc018ca47de765d4d2e9dd4f9677f5c6c72963abcbc516dc816cc8f0ffd1bf3

Download Submit