7a760d0043585078166bbce8451ac6d6b1380613301c09e94b0bd3a5617d843b

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12/03/2024, 22:04

Target

7a760d0043585078166bbce8451ac6d6b1380613301c09e94b0bd3a5617d843b.exe
Size

73KB
MD5

51a381e74b126c48362af96ecc09af0d
SHA1

cd4ebe9dec3fe7551f04bc5f0607791bff93b3de
SHA256

7a760d0043585078166bbce8451ac6d6b1380613301c09e94b0bd3a5617d843b
SHA512

3bdabcef278d97574238b537a4d4e1f79ce134be16808759db444116368078fb009c2c52c7cfac64be2f23427153756530947028f33bd0ad6051a8f215e42311
SSDEEP

1536:hbLWt0pG7PK5QPqfhVWbdsmA+RjPFLC+e5ht0ZGUGf2g:hZAPNPqfcxA+HFshtOg

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
1264	[email protected]

Loads dropped DLL 2 IoCs

pid	Process
2008	cmd.exe
2008	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 2008	1312	7a760d0043585078166bbce8451ac6d6b1380613301c09e94b0bd3a5617d843b.exe	29
PID 1312 wrote to memory of 2008	1312	7a760d0043585078166bbce8451ac6d6b1380613301c09e94b0bd3a5617d843b.exe	29
PID 1312 wrote to memory of 2008	1312	7a760d0043585078166bbce8451ac6d6b1380613301c09e94b0bd3a5617d843b.exe	29
PID 1312 wrote to memory of 2008	1312	7a760d0043585078166bbce8451ac6d6b1380613301c09e94b0bd3a5617d843b.exe	29
PID 2008 wrote to memory of 1264	2008	cmd.exe	30
PID 2008 wrote to memory of 1264	2008	cmd.exe	30
PID 2008 wrote to memory of 1264	2008	cmd.exe	30
PID 2008 wrote to memory of 1264	2008	cmd.exe	30
PID 1264 wrote to memory of 2964	1264	[email protected]	31
PID 1264 wrote to memory of 2964	1264	[email protected]	31
PID 1264 wrote to memory of 2964	1264	[email protected]	31
PID 1264 wrote to memory of 2964	1264	[email protected]	31

C:\Users\Admin\AppData\Local\Temp\7a760d0043585078166bbce8451ac6d6b1380613301c09e94b0bd3a5617d843b.exe
"C:\Users\Admin\AppData\Local\Temp\7a760d0043585078166bbce8451ac6d6b1380613301c09e94b0bd3a5617d843b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 00.exe
      4⤵
      PID:2964

C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
73KB

MD5
e38630bf2f03653996040385146b7381

SHA1
e5fcc21747945413face68a12d016a9cfce9ed60

SHA256
6252fb7b2f46aee6997c192a9b1cc37dc78b64d1adee9fdafc099539859d56d7

SHA512
419dc2856d998fc360ce3fcfbc243baec9bc0a4c5e56b85b367c252cced54a58e5eed3a9a9ac04c47cca994d2cbebfa63b38c6c70ab680eb64a947a2ae8b5a48

Download Submit
memory/1264-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1312-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download