879d26445f5f2824577a9896c3eb69bace88399b646f7c2a4979888fc9e618d4

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/03/2024, 18:21

Target

dea7175c95b0499e1bf1346ac742b064.exe
Size

96KB
MD5

dea7175c95b0499e1bf1346ac742b064
SHA1

0d1900212b4fdc0f757d48074bd7a59d352b602b
SHA256

879d26445f5f2824577a9896c3eb69bace88399b646f7c2a4979888fc9e618d4
SHA512

ad99f32abc4602f156675d18c3510e5ece06a693c5fb4af7511fea181dbd4cbe256494407510e1bad1814ea4379b28415d1ff5d70c06d09e1cd81b817539e15d
SSDEEP

768:MmH1KwVE8BGacEvnb7vRHwEEEEEwERGq+kZoQ+vKdliXSVAFD/mjmH1KwLDXY+5J:l2KdlIBFZbXYQIt7

Score

7^/10

Deletes itself 1 IoCs

pid	Process
1392	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2804	dea7175c95b0499e1bf1346ac742b064.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\vlihzouhgnfe.cfg	dea7175c95b0499e1bf1346ac742b064.exe
File opened for modification	C:\Windows\SysWOW64\vlihzouhgnfe.dll	dea7175c95b0499e1bf1346ac742b064.exe
File created	C:\Windows\SysWOW64\vlihzouhgnfe.dll	dea7175c95b0499e1bf1346ac742b064.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2804	dea7175c95b0499e1bf1346ac742b064.exe
2804	dea7175c95b0499e1bf1346ac742b064.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 1392	2804	dea7175c95b0499e1bf1346ac742b064.exe	28
PID 2804 wrote to memory of 1392	2804	dea7175c95b0499e1bf1346ac742b064.exe	28
PID 2804 wrote to memory of 1392	2804	dea7175c95b0499e1bf1346ac742b064.exe	28
PID 2804 wrote to memory of 1392	2804	dea7175c95b0499e1bf1346ac742b064.exe	28

C:\Users\Admin\AppData\Local\Temp\dea7175c95b0499e1bf1346ac742b064.exe
"C:\Users\Admin\AppData\Local\Temp\dea7175c95b0499e1bf1346ac742b064.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\dea7175c95b0499e1bf1346ac742b064.exe"
  2⤵
  - Deletes itself
  PID:1392

\Windows\SysWOW64\vlihzouhgnfe.dll

Filesize
12KB

MD5
55c8d64789d37de12c6cffe6c1320f78

SHA1
c9fd6d379a430a123a2271cefb30e496f4191cf5

SHA256
d6079be2f73e086b556d43cd404945bc2663fe285b3cef94b552b0295b7ccf0a

SHA512
21fa2d724bd0ebf89a82f5bbe0f221143066dd0af93f645be24743eebd221bcc1b726f37a32752c3cbc8e75ffe3fc4dc51020d199d35b72bd9df356d3aaab2c4

Download Submit
memory/2804-3-0x0000000025000000-0x000000002501C000-memory.dmp

Filesize
112KB

Download
memory/2804-7-0x0000000025000000-0x000000002501C000-memory.dmp

Filesize
112KB

Download