6efa9e1e76d48f8cef714e50d2a683f757a0ea491724991d3a5a0992501ea87a

Analysis

max time kernel
118s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/03/2024, 21:18

Target

e01e64de026df30909bab32e277c5ad0.exe
Size

369KB
MD5

e01e64de026df30909bab32e277c5ad0
SHA1

6f4a626c0ec25d69cf1dc926ec5002d9b146cfba
SHA256

6efa9e1e76d48f8cef714e50d2a683f757a0ea491724991d3a5a0992501ea87a
SHA512

9cd57b4500ddd8a225d4b7e90f90c581c92fc8b9c2860ec7560457d9175cf3d696e59a6a91d87f3aabf4151da8fdc0234391cf4b6b65e47773025ee1976fae43
SSDEEP

6144:KN7roRamyCa13m2+l3lObTaJE6J4BQgRBBSerDsQd2TMRLwLHr8zXHtBQs:KNhCa5GObGJOBQFervd2TrodBP

Score

7^/10

Deletes itself 1 IoCs

pid	Process
820	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2872 set thread context of 1316	2872	e01e64de026df30909bab32e277c5ad0.exe	28

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\S0UNDMAN.EXE	e01e64de026df30909bab32e277c5ad0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\S0UNDMAN.EXE	e01e64de026df30909bab32e277c5ad0.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 1316	2872	e01e64de026df30909bab32e277c5ad0.exe	28
PID 2872 wrote to memory of 1316	2872	e01e64de026df30909bab32e277c5ad0.exe	28
PID 2872 wrote to memory of 1316	2872	e01e64de026df30909bab32e277c5ad0.exe	28
PID 2872 wrote to memory of 1316	2872	e01e64de026df30909bab32e277c5ad0.exe	28
PID 2872 wrote to memory of 1316	2872	e01e64de026df30909bab32e277c5ad0.exe	28
PID 2872 wrote to memory of 1316	2872	e01e64de026df30909bab32e277c5ad0.exe	28
PID 2872 wrote to memory of 820	2872	e01e64de026df30909bab32e277c5ad0.exe	29
PID 2872 wrote to memory of 820	2872	e01e64de026df30909bab32e277c5ad0.exe	29
PID 2872 wrote to memory of 820	2872	e01e64de026df30909bab32e277c5ad0.exe	29
PID 2872 wrote to memory of 820	2872	e01e64de026df30909bab32e277c5ad0.exe	29

C:\Users\Admin\AppData\Local\Temp\e01e64de026df30909bab32e277c5ad0.exe
"C:\Users\Admin\AppData\Local\Temp\e01e64de026df30909bab32e277c5ad0.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe ¨Á
  2⤵
  PID:1316
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c del /F "C:\Users\Admin\AppData\Local\Temp\e01e64de026df30909bab32e277c5ad0.exe"
  2⤵
  - Deletes itself
  PID:820

memory/1316-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1316-6-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2872-0-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2872-1-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2872-2-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2872-3-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2872-11-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download