ea0734849781da52e0bc42015cbb6d2536ec7db393c3c1bee67169d8f979ebfa

Analysis

max time kernel
93s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2024, 04:03

Target

ea0734849781da52e0bc42015cbb6d2536ec7db393c3c1bee67169d8f979ebfa.exe
Size

73KB
MD5

2e55ab66a96188e4a88a69f5179b3a5d
SHA1

fcc41b196436bdf7824cd039eeed339797592758
SHA256

ea0734849781da52e0bc42015cbb6d2536ec7db393c3c1bee67169d8f979ebfa
SHA512

f2c8f0eae89557b58b009c612f0b3083900f3e260c1a9b4c2e513333e8c23ba6fc90b160ef80e1e7f81c6036b412b2020a31c31f620fa3c873b76d40ecc2196c
SSDEEP

1536:hbjtsDBBMDhK5QPqfhVWbdsmA+RjPFLC+e5hE0ZGUGf2g:hfhDhNPqfcxA+HFshEOg

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
372	[email protected]

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 1376	1636	ea0734849781da52e0bc42015cbb6d2536ec7db393c3c1bee67169d8f979ebfa.exe	84
PID 1636 wrote to memory of 1376	1636	ea0734849781da52e0bc42015cbb6d2536ec7db393c3c1bee67169d8f979ebfa.exe	84
PID 1636 wrote to memory of 1376	1636	ea0734849781da52e0bc42015cbb6d2536ec7db393c3c1bee67169d8f979ebfa.exe	84
PID 1376 wrote to memory of 372	1376	cmd.exe	85
PID 1376 wrote to memory of 372	1376	cmd.exe	85
PID 1376 wrote to memory of 372	1376	cmd.exe	85
PID 372 wrote to memory of 5008	372	[email protected]	86
PID 372 wrote to memory of 5008	372	[email protected]	86
PID 372 wrote to memory of 5008	372	[email protected]	86

C:\Users\Admin\AppData\Local\Temp\ea0734849781da52e0bc42015cbb6d2536ec7db393c3c1bee67169d8f979ebfa.exe
"C:\Users\Admin\AppData\Local\Temp\ea0734849781da52e0bc42015cbb6d2536ec7db393c3c1bee67169d8f979ebfa.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:372
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 16256.exe
      4⤵
      PID:5008

C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
73KB

MD5
2979421999243303aba87bebe3ac8a1c

SHA1
13121ee80d3503e714d5f790429e5dc9fc3412b5

SHA256
0c5f8e3762a2716989482a41846bd6f27cc17da4fe8a770d72db4e1d3649b7f0

SHA512
0e38779bc934d42ab5869238fe9dcc1dbe888711899cbf7ceab4e4818ce54d34ed8d9499080f5816eb0eb892e4ffbc02658585dcfd00d1aa270f28a563558357

Download Submit
C:\Users\Admin\AppData\Local\Temp\16256.exe

Filesize
2KB

MD5
7b621943a35e7f39cf89f50cc48d7b94

SHA1
2858a28cf60f38025fffcd0ba2ecfec8511c197d

SHA256
bef04c2f89dc115ce2763558933dba1767bf30cda6856d335ae68955923f9991

SHA512
4169e664ad4e7e6891a05ceed78465e0ec44879b37fc0de97c014945e10c161f6bfb040efc24edc136e69bb115b2a1327b04cefb58141f712da856129872e8f1

Download Submit
memory/372-7-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1636-8-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download