8b8ae67ffad201f038c3571249b17b8c5f602801541a47ca088cbbdbbc79700d

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/03/2024, 22:12

Target

e037d15c75045ccead0bc9e423800d59.exe
Size

18KB
MD5

e037d15c75045ccead0bc9e423800d59
SHA1

0c9c7185f47ef2e087cad3b6b2a63aeb08fd15f6
SHA256

8b8ae67ffad201f038c3571249b17b8c5f602801541a47ca088cbbdbbc79700d
SHA512

9926ed05ca2b2130953c58cda0f1ebd9c87dfcdd1557afc8f28f7fd92051919ee0eab2a1fc9f6c7756a313cd8d0440ca5f3ee6b443b6e45f7875ec7d2d08b639
SSDEEP

384:Hq4g0/4V3aFdHc5Y9e7cj+FPPNWhgPUMJi/NXcT19SkDieX0Vt:Kf0/4ZE8keYqFXUo4c/vX0P

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2856	cmd.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Deleteme.bat	e037d15c75045ccead0bc9e423800d59.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 640 set thread context of 2944	640	e037d15c75045ccead0bc9e423800d59.exe	28

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 2944	640	e037d15c75045ccead0bc9e423800d59.exe	28
PID 640 wrote to memory of 2944	640	e037d15c75045ccead0bc9e423800d59.exe	28
PID 640 wrote to memory of 2944	640	e037d15c75045ccead0bc9e423800d59.exe	28
PID 640 wrote to memory of 2944	640	e037d15c75045ccead0bc9e423800d59.exe	28
PID 640 wrote to memory of 2944	640	e037d15c75045ccead0bc9e423800d59.exe	28
PID 640 wrote to memory of 2944	640	e037d15c75045ccead0bc9e423800d59.exe	28
PID 640 wrote to memory of 2856	640	e037d15c75045ccead0bc9e423800d59.exe	29
PID 640 wrote to memory of 2856	640	e037d15c75045ccead0bc9e423800d59.exe	29
PID 640 wrote to memory of 2856	640	e037d15c75045ccead0bc9e423800d59.exe	29
PID 640 wrote to memory of 2856	640	e037d15c75045ccead0bc9e423800d59.exe	29

C:\Users\Admin\AppData\Local\Temp\e037d15c75045ccead0bc9e423800d59.exe
"C:\Users\Admin\AppData\Local\Temp\e037d15c75045ccead0bc9e423800d59.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:640
- C:\Windows\SysWOW64\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:2944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deleteme.bat
  2⤵
  - Deletes itself
  PID:2856

C:\Windows\SysWOW64\Deleteme.bat

Filesize
184B

MD5
41c3a92f4047feef533b537069b45444

SHA1
aec911fc5656de97165bc81e20849e85f79b63ab

SHA256
71335f0fd29a3183c7cfcd28ce4e4db6930d9429e2d21a9ad397974feee1958d

SHA512
ab79705442bb975ff831efebb38555789e644f94491140fd6e6a6d2d1ea5fbf6a4089722ea63616bc022649e11c8e521882708858fa66903f44be5a374cf84ed

Download Submit
memory/640-0-0x0000000000400000-0x0000000000414835-memory.dmp

Filesize
82KB

Download
memory/640-1-0x0000000000400000-0x0000000000414835-memory.dmp

Filesize
82KB

Download
memory/640-2-0x0000000000400000-0x0000000000414835-memory.dmp

Filesize
82KB

Download
memory/640-16-0x0000000000400000-0x0000000000414835-memory.dmp

Filesize
82KB

Download
memory/2944-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2944-5-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2944-7-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download