bd587f37e0e4fc41f407c0cca47a2692a581c66a891ac9e0176d3d30068d41bc

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 01:35

Target

bd587f37e0e4fc41f407c0cca47a2692a581c66a891ac9e0176d3d30068d41bc.exe
Size

61KB
MD5

b5b38e9a5787ac15b657f3e2a6fb7197
SHA1

4d36cf06e5d6df07c02d6e3ea763b874abe88529
SHA256

bd587f37e0e4fc41f407c0cca47a2692a581c66a891ac9e0176d3d30068d41bc
SHA512

f7ffd26a336bc962cfc49ce20ea0007c9b13395942c5db783bc6c6b0eda85c602aa367b4ec3e670a4fe94f417ed8d14cd2ac63745ab7a2132999c05a4592e673
SSDEEP

1536:Httdse4OcUmWQIvEPZo6E5sEFd29NQgA2wHle5:vdse4OlQZo6EKEFdGM2Sle5

Score

7^/10

Executes dropped EXE 3 IoCs

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\viesazm.mpk	ewiuer2.exe
File created	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\viesazm.mpk	ewiuer2.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 4236	3004	bd587f37e0e4fc41f407c0cca47a2692a581c66a891ac9e0176d3d30068d41bc.exe	85
PID 3004 wrote to memory of 4236	3004	bd587f37e0e4fc41f407c0cca47a2692a581c66a891ac9e0176d3d30068d41bc.exe	85
PID 3004 wrote to memory of 4236	3004	bd587f37e0e4fc41f407c0cca47a2692a581c66a891ac9e0176d3d30068d41bc.exe	85
PID 4236 wrote to memory of 2408	4236	ewiuer2.exe	94
PID 4236 wrote to memory of 2408	4236	ewiuer2.exe	94
PID 4236 wrote to memory of 2408	4236	ewiuer2.exe	94
PID 2408 wrote to memory of 3800	2408	ewiuer2.exe	97
PID 2408 wrote to memory of 3800	2408	ewiuer2.exe	97
PID 2408 wrote to memory of 3800	2408	ewiuer2.exe	97

C:\Users\Admin\AppData\Local\Temp\bd587f37e0e4fc41f407c0cca47a2692a581c66a891ac9e0176d3d30068d41bc.exe
"C:\Users\Admin\AppData\Local\Temp\bd587f37e0e4fc41f407c0cca47a2692a581c66a891ac9e0176d3d30068d41bc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4236
- - C:\Windows\SysWOW64\ewiuer2.exe
    C:\Windows\System32\ewiuer2.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Windows\SysWOW64\ewiuer2.exe
      C:\Windows\SysWOW64\ewiuer2.exe /nomove
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:3800

C:\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
61KB

MD5
b99e3166bfec8d2cb24385bee6893970

SHA1
053b0a994c050b933a44cc040666bdbb08ac8533

SHA256
da180401d557ecbaf6f556c5439ef129d16ad3789a98d98ff2a1649ef582e765

SHA512
eac7cd9b2ab5825887937e37a532b733dd1cae565ce686c2055abe3e78fd24262e50361c854e80ab2ca04fa28e83a33a63ab149fd46e141779cb8b500dc6dbf5

Download Submit
C:\Windows\SysWOW64\ewiuer2.exe

Filesize
61KB

MD5
acfb82453534a69e4926764ee2b99834

SHA1
95db1fe4b145df0631abb8306a103fc8995c8a49

SHA256
2a87601ea41d1e60f9fd6f5fa547ec53d39b0961ea0da361b3df1710ccaf2ec7

SHA512
2da457aeb6ed574ab76df88e70aff36c9d679675deabe3c2279d3672d8e1393c438112a63afdeefb317053f53e0f47d491c1894e6da81bf98451c05f77398c11

Download Submit