76c86cfa4f00296d4fc9aa3cc62627237dcc2ad41f301f45cccc47fbbb0541b2

Analysis

max time kernel
91s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2024 23:01

Target

76c86cfa4f00296d4fc9aa3cc62627237dcc2ad41f301f45cccc47fbbb0541b2.exe
Size

73KB
MD5

79942c1767f34f79a77a581a5e3db552
SHA1

1323eaa1c1c7fa3089232d82acc9b93313ba1553
SHA256

76c86cfa4f00296d4fc9aa3cc62627237dcc2ad41f301f45cccc47fbbb0541b2
SHA512

cdb544732006fb14f2323b4e0eebfd02de74f04f3fd9b083475962baa2201f33bdfa7483c51cd6175d26c7af7d2903ceb571f7e9b56950011c5523f8c2396245
SSDEEP

1536:hb6iUCLptK5QPqfhVWbdsmA+RjPFLC+e5hD0ZGUGf2g:hDvptNPqfcxA+HFshDOg

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
1272	[email protected]

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 812	2372	76c86cfa4f00296d4fc9aa3cc62627237dcc2ad41f301f45cccc47fbbb0541b2.exe	91
PID 2372 wrote to memory of 812	2372	76c86cfa4f00296d4fc9aa3cc62627237dcc2ad41f301f45cccc47fbbb0541b2.exe	91
PID 2372 wrote to memory of 812	2372	76c86cfa4f00296d4fc9aa3cc62627237dcc2ad41f301f45cccc47fbbb0541b2.exe	91
PID 812 wrote to memory of 1272	812	cmd.exe	92
PID 812 wrote to memory of 1272	812	cmd.exe	92
PID 812 wrote to memory of 1272	812	cmd.exe	92
PID 1272 wrote to memory of 3240	1272	[email protected]	93
PID 1272 wrote to memory of 3240	1272	[email protected]	93
PID 1272 wrote to memory of 3240	1272	[email protected]	93

C:\Users\Admin\AppData\Local\Temp\76c86cfa4f00296d4fc9aa3cc62627237dcc2ad41f301f45cccc47fbbb0541b2.exe
"C:\Users\Admin\AppData\Local\Temp\76c86cfa4f00296d4fc9aa3cc62627237dcc2ad41f301f45cccc47fbbb0541b2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:812
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 00.exe
      4⤵
      PID:3240

C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
73KB

MD5
2f791805d90bab832cafea5a045f2a36

SHA1
c04011b0d278e4329b77cf397e4a76d56c6bf349

SHA256
e40115b35a4c0ef7325fedd6076a1fbcac6f9875a724fe0e86b4b6794f1b3ab8

SHA512
7889a89a01e09586545cd1d756b3eefbd5183dfa9a2bc07b5c8757a36c9d61bbb91527e68022f217c50fdd7068e066eb12b3dbafee066f6899bdc7fa8b50bd03

Download Submit
C:\Users\Admin\AppData\Local\Temp\00.exe

Filesize
2KB

MD5
7b621943a35e7f39cf89f50cc48d7b94

SHA1
2858a28cf60f38025fffcd0ba2ecfec8511c197d

SHA256
bef04c2f89dc115ce2763558933dba1767bf30cda6856d335ae68955923f9991

SHA512
4169e664ad4e7e6891a05ceed78465e0ec44879b37fc0de97c014945e10c161f6bfb040efc24edc136e69bb115b2a1327b04cefb58141f712da856129872e8f1

Download Submit
memory/1272-7-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2372-8-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download