31606dbbf813ca5e00ef4d844c352f5d219259aa73f472edf0020adb5796d77d

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 10:37

Target

cb30bc58445732712f2173ed5f9c0984.exe
Size

35KB
MD5

cb30bc58445732712f2173ed5f9c0984
SHA1

cc938a4d748a8d89b6bd0911c5864e40c706c821
SHA256

31606dbbf813ca5e00ef4d844c352f5d219259aa73f472edf0020adb5796d77d
SHA512

b48bad408c9d94b25236f3456ac024dd4672e89ac510695f0d7db1849577e6fd32047a21bcf8dac74aa2f9e1133d2751827ec7b25ec57c9ebb668fd2fe36f940
SSDEEP

768:rIKfXsh9PagyAtPchL1lCaW2g/CVGNvg+fJRBmUOZ0xtKxQcEyuE:rIKEh9CgykUbldW2gzg+fSSHw

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2624	reg.gin

Loads dropped DLL 2 IoCs

pid	Process
1312	cb30bc58445732712f2173ed5f9c0984.exe
1312	cb30bc58445732712f2173ed5f9c0984.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\reg.gin	cb30bc58445732712f2173ed5f9c0984.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1312 set thread context of 2624	1312	cb30bc58445732712f2173ed5f9c0984.exe	28
PID 1312 set thread context of 2624	1312	cb30bc58445732712f2173ed5f9c0984.exe	28
PID 1312 set thread context of 2624	1312	cb30bc58445732712f2173ed5f9c0984.exe	28
PID 1312 set thread context of 2624	1312	cb30bc58445732712f2173ed5f9c0984.exe	28
PID 1312 set thread context of 2624	1312	cb30bc58445732712f2173ed5f9c0984.exe	28

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 2624	1312	cb30bc58445732712f2173ed5f9c0984.exe	28
PID 1312 wrote to memory of 2624	1312	cb30bc58445732712f2173ed5f9c0984.exe	28
PID 1312 wrote to memory of 2624	1312	cb30bc58445732712f2173ed5f9c0984.exe	28
PID 1312 wrote to memory of 2624	1312	cb30bc58445732712f2173ed5f9c0984.exe	28

C:\Users\Admin\AppData\Local\Temp\cb30bc58445732712f2173ed5f9c0984.exe
"C:\Users\Admin\AppData\Local\Temp\cb30bc58445732712f2173ed5f9c0984.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Windows\SysWOW64\reg.gin
  "C:\Windows\system32\reg.gin"
  2⤵
  - Executes dropped EXE
  PID:2624

\Windows\SysWOW64\reg.gin

Filesize
1KB

MD5
b7e3c647184c25ba1a87a81f00bd2172

SHA1
ed9f0ca9c41838f8db6082ad3677c4e4981f1798

SHA256
a6300bb387ae0bcf89adfcbb89f908740b5540ef77fae1f4cbec45689a6802fd

SHA512
c7490fd2c8d73a1c2fec3d0d8cc428c6d1a498ea929538732da704a25361785a6d474ad06d2417aa7b255fdd83dbfe641cb231d979ebba805951e667f4e2f965

Download Submit
memory/1312-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download