90e0d081a0014cf7ae16bf7a65c18ff848f9fa5e97fd82cdf931533ed419ae7e

Analysis

max time kernel
118s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/03/2024, 10:39

Target

be66117562e7407349f760c24f2ce06e.exe
Size

189KB
MD5

be66117562e7407349f760c24f2ce06e
SHA1

eab641157b93c85a1167ae873f0070ccb5ecbc96
SHA256

90e0d081a0014cf7ae16bf7a65c18ff848f9fa5e97fd82cdf931533ed419ae7e
SHA512

3a5489972cedf1110fccf0a2d1c89c327a528eb0e5b5e3a59bce3044e7273472798222da6395c6d54d470b81a8700c87432fb32589d2b355f88e473386030b7c
SSDEEP

3072:7i/5O3+EdruLh5T0vsvfN73W1/11OytH0sp5+D6qShDRMf9rcjEVqgjv/p:+xO3+Edr+5QUXccaH02G6qa86jOjHp

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2556	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2064	ravsons.exe

Loads dropped DLL 6 IoCs

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2480	2064	WerFault.exe	28

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2064	2016	be66117562e7407349f760c24f2ce06e.exe	28
PID 2016 wrote to memory of 2064	2016	be66117562e7407349f760c24f2ce06e.exe	28
PID 2016 wrote to memory of 2064	2016	be66117562e7407349f760c24f2ce06e.exe	28
PID 2016 wrote to memory of 2064	2016	be66117562e7407349f760c24f2ce06e.exe	28
PID 2064 wrote to memory of 2480	2064	ravsons.exe	29
PID 2064 wrote to memory of 2480	2064	ravsons.exe	29
PID 2064 wrote to memory of 2480	2064	ravsons.exe	29
PID 2064 wrote to memory of 2480	2064	ravsons.exe	29
PID 2016 wrote to memory of 2556	2016	be66117562e7407349f760c24f2ce06e.exe	30
PID 2016 wrote to memory of 2556	2016	be66117562e7407349f760c24f2ce06e.exe	30
PID 2016 wrote to memory of 2556	2016	be66117562e7407349f760c24f2ce06e.exe	30
PID 2016 wrote to memory of 2556	2016	be66117562e7407349f760c24f2ce06e.exe	30

C:\Users\Admin\AppData\Local\Temp\be66117562e7407349f760c24f2ce06e.exe
"C:\Users\Admin\AppData\Local\Temp\be66117562e7407349f760c24f2ce06e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\ravsons.exe
  C:\Users\Admin\AppData\Local\Temp\ravsons.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 44
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\ddmtrayk2.bat
  2⤵
  - Deletes itself
  PID:2556

C:\Users\Admin\AppData\Local\Temp\ddmtrayk2.bat

Filesize
182B

MD5
d09220a16c12777bec368482e0514a56

SHA1
9dd7d372d0eb5a0b0cd5c15470b53a7ef4e2c458

SHA256
9be83f98fc200661eb27158bf1255a8e4042889afbb53fc3a6783583f7e14426

SHA512
8072c722a34d82d7da0dd23e96e94dfb92b3b57c3d8d1aff1a0e6ffa8875eefa190654b9547ae37820374d23885799b319e9b53da974aacd5b731b6bcb4c238b

Download Submit
\Users\Admin\AppData\Local\Temp\ravsons.exe

Filesize
100KB

MD5
679b974554505fdacd8c79eae2735664

SHA1
5975cbab2aae0c10e676dcc51f9cedef5db4413d

SHA256
d9be6be8ac93fc7e4d1469a97863e6d1b0501c03f5bdd82df4632a52aa5a2bc3

SHA512
653cc0755e0ce3bb448e10c5ac3f582b3a1d0aeeb6c1dc0ad586adfc500ca5b6a68bc0e0fd4bc9851d8c78448be1d149d3cc896d439627da2aeff13736ef1427

Download Submit
memory/2016-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2016-0-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2016-14-0x0000000000220000-0x000000000025B000-memory.dmp

Filesize
236KB

Download
memory/2016-21-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2016-20-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2016-29-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2064-15-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download