79a4c04639a0a9983467370b38de262641da79ccd51a0cdcd53aba20158f1b3a

Analysis

max time kernel
45s
max time network
19s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-03-2024 13:12

Target

79a4c04639a0a9983467370b38de262641da79ccd51a0cdcd53aba20158f1b3a (1).exe
Size

1.5MB
MD5

9b8ecdecbe7ac4bbf4568817f6f1fc39
SHA1

d41567a74542711ccca62d5435046be6f3110d4c
SHA256

79a4c04639a0a9983467370b38de262641da79ccd51a0cdcd53aba20158f1b3a
SHA512

828d8c3fe9e246d2905d06a0b1a8bd6fa259fe2412511a82eb40e2ebc20b91033c0049a830dc74bb4cfc60ecd5030ce9df540daa24f1c63af554490c8cae5ab2
SSDEEP

24576:tkvbQk+DgkJntzJ6ftUpd3V073hRzo8zqXUyInFXJGiwo:tkvbQ7TJnzaUpxVExhoBQsif

Score

5^/10

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\System32\ok.txt	79a4c04639a0a9983467370b38de262641da79ccd51a0cdcd53aba20158f1b3a (1).exe
File opened for modification	C:\Windows\System32\ok.txt.KILL	79a4c04639a0a9983467370b38de262641da79ccd51a0cdcd53aba20158f1b3a (1).exe
File created	C:\Windows\System32\temp.tmp	79a4c04639a0a9983467370b38de262641da79ccd51a0cdcd53aba20158f1b3a (1).exe
File opened for modification	C:\Windows\System32\temp.tmp	79a4c04639a0a9983467370b38de262641da79ccd51a0cdcd53aba20158f1b3a (1).exe
File created	C:\Windows\System32\temp.tmp.bmp	79a4c04639a0a9983467370b38de262641da79ccd51a0cdcd53aba20158f1b3a (1).exe
File opened for modification	C:\Windows\System32\temp.tmp.jpg	79a4c04639a0a9983467370b38de262641da79ccd51a0cdcd53aba20158f1b3a (1).exe
File created	C:\Windows\System32\info.txt	79a4c04639a0a9983467370b38de262641da79ccd51a0cdcd53aba20158f1b3a (1).exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 1676	3048	79a4c04639a0a9983467370b38de262641da79ccd51a0cdcd53aba20158f1b3a (1).exe	29
PID 3048 wrote to memory of 1676	3048	79a4c04639a0a9983467370b38de262641da79ccd51a0cdcd53aba20158f1b3a (1).exe	29
PID 3048 wrote to memory of 1676	3048	79a4c04639a0a9983467370b38de262641da79ccd51a0cdcd53aba20158f1b3a (1).exe	29
PID 1676 wrote to memory of 1616	1676	cmd.exe	30
PID 1676 wrote to memory of 1616	1676	cmd.exe	30
PID 1676 wrote to memory of 1616	1676	cmd.exe	30
PID 3048 wrote to memory of 2192	3048	79a4c04639a0a9983467370b38de262641da79ccd51a0cdcd53aba20158f1b3a (1).exe	31
PID 3048 wrote to memory of 2192	3048	79a4c04639a0a9983467370b38de262641da79ccd51a0cdcd53aba20158f1b3a (1).exe	31
PID 3048 wrote to memory of 2192	3048	79a4c04639a0a9983467370b38de262641da79ccd51a0cdcd53aba20158f1b3a (1).exe	31
PID 3048 wrote to memory of 2164	3048	79a4c04639a0a9983467370b38de262641da79ccd51a0cdcd53aba20158f1b3a (1).exe	33
PID 3048 wrote to memory of 2164	3048	79a4c04639a0a9983467370b38de262641da79ccd51a0cdcd53aba20158f1b3a (1).exe	33
PID 3048 wrote to memory of 2164	3048	79a4c04639a0a9983467370b38de262641da79ccd51a0cdcd53aba20158f1b3a (1).exe	33

C:\Users\Admin\AppData\Local\Temp\79a4c04639a0a9983467370b38de262641da79ccd51a0cdcd53aba20158f1b3a (1).exe
"C:\Users\Admin\AppData\Local\Temp\79a4c04639a0a9983467370b38de262641da79ccd51a0cdcd53aba20158f1b3a (1).exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh wlan export profile folder="C:\Windows\System32\wifies\\" key=clear && cls
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\system32\netsh.exe
    netsh wlan export profile folder="C:\Windows\System32\wifies\\" key=clear
    3⤵
    PID:1616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /s /b /a-d C:\Windows\System32\wifies\
  2⤵
  PID:2192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:2164

C:\Windows\System32\temp.tmp

Filesize
998B

MD5
06916138bc5f339b113984cce81bd714

SHA1
9491dbc9e699978f8c4be4718e66b7d973437aeb

SHA256
81d6201bb55bdd995a766d2cbf9a295235e3ad5d28fcc242cca47a51a473177b

SHA512
9b51c53617ee87e8074d829f55a956e952ecb44c6584e5e2e4b446298cbf6cb70c41c87b80da6c882a1412b9a7f51d1c69198dc68973b695b29e19480e9d742b

Download Submit
C:\Windows\System32\temp.tmp.bmp

Filesize
3.5MB

MD5
be1544d03017cd9cba278d7aff6f8f7f

SHA1
a318bc0d26524995be30d01b6f70ee8b2a57da57

SHA256
bf2c3c296b01c2b0eec6731b66cc6319c767008ec694fcb8abd4be7aa768fc0c

SHA512
f8756731d094646a5311908a5f15d187d1e42c6248b4a0024c626833b04c497c34944460b58306efbb51920724e7ee6127a9637dafeb5891d5ec0e075f05815d

Download Submit
memory/3048-57-0x000000013F600000-0x000000013F78F000-memory.dmp

Filesize
1.6MB

Download
memory/3048-58-0x000000013F600000-0x000000013F78F000-memory.dmp

Filesize
1.6MB

Download