975b37cf53242bfd9d99547e015eee8c4ea039fe68923338c74a52664d2bd487

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/03/2024, 15:22

Target

de53d34f4f0382ca6b01e740a3c4bc4d.exe
Size

520KB
MD5

de53d34f4f0382ca6b01e740a3c4bc4d
SHA1

80bb9170e096bbc8c275b5e76b185174b083e05d
SHA256

975b37cf53242bfd9d99547e015eee8c4ea039fe68923338c74a52664d2bd487
SHA512

5c027cc2a96e754418632378ac7648e7ab1e55e0134341d6b6b4f4e8481715321b3cf1e7929745adb263745de93350ce3e30c5831677703f358c4a6fb37eb941
SSDEEP

6144:afxtvln6cIY39woSl/wdh3GUnTr/6EluW1Psv7:afxNF3nNwoSlQ3hT7oWK7

Score

8^/10

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\TXPlatform.exe	de53d34f4f0382ca6b01e740a3c4bc4d.exe
File opened for modification	C:\Windows\SysWOW64\drivers\TXPlatform.exe	de53d34f4f0382ca6b01e740a3c4bc4d.exe

Deletes itself 1 IoCs

pid	Process
3016	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2812	TXPlatform.exe

Loads dropped DLL 2 IoCs

pid	Process
2164	de53d34f4f0382ca6b01e740a3c4bc4d.exe
2164	de53d34f4f0382ca6b01e740a3c4bc4d.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 3016	2164	de53d34f4f0382ca6b01e740a3c4bc4d.exe	28
PID 2164 wrote to memory of 3016	2164	de53d34f4f0382ca6b01e740a3c4bc4d.exe	28
PID 2164 wrote to memory of 3016	2164	de53d34f4f0382ca6b01e740a3c4bc4d.exe	28
PID 2164 wrote to memory of 3016	2164	de53d34f4f0382ca6b01e740a3c4bc4d.exe	28
PID 2164 wrote to memory of 2812	2164	de53d34f4f0382ca6b01e740a3c4bc4d.exe	30
PID 2164 wrote to memory of 2812	2164	de53d34f4f0382ca6b01e740a3c4bc4d.exe	30
PID 2164 wrote to memory of 2812	2164	de53d34f4f0382ca6b01e740a3c4bc4d.exe	30
PID 2164 wrote to memory of 2812	2164	de53d34f4f0382ca6b01e740a3c4bc4d.exe	30

C:\Users\Admin\AppData\Local\Temp\de53d34f4f0382ca6b01e740a3c4bc4d.exe
"C:\Users\Admin\AppData\Local\Temp\de53d34f4f0382ca6b01e740a3c4bc4d.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\6$$.bat
  2⤵
  - Deletes itself
  PID:3016
- C:\Windows\SysWOW64\drivers\TXPlatform.exe
  C:\Windows\system32\drivers\TXPlatform.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2812

C:\Users\Admin\AppData\Local\Temp\6$$.bat

Filesize
485B

MD5
f2f4516677a8b069dbbd183df7965150

SHA1
88e18f169f79f625306304928c954ff61aaf131b

SHA256
aa3d95b41d5fbf93b70c9cb7d097da82864879d8ba2903a376526904600f3ef6

SHA512
31d921158496320b200f956eb47f1ecbae81d7f09454ee00ae575a0d6ee8a26fe962acf83899088f5abc910ab05159e2ddccd4be83db4b6fc0ade966125d3e1a

Download Submit
\Windows\SysWOW64\drivers\TXPlatform.exe

Filesize
444KB

MD5
ddca33ddfbc169e13c81b2661f777278

SHA1
ae443fe3e1087f05e4e2d8ab9549efa6177ebe07

SHA256
d63f50fca6ed71fb54dfa448a2de6b3566188a181076290c38e7f97bc8adcd9a

SHA512
4f924878167f8c63092724f2dd2ad7387cfb516572a9cf5e6997686401be8b49a306e1cf5e24590566e5f3f3ab0abf5b82dbce4956b6d03602ba54dd0d820045

Download Submit
memory/2164-0-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2164-17-0x0000000000300000-0x000000000036F000-memory.dmp

Filesize
444KB

Download
memory/2164-20-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2812-19-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download