172122a22a15c01bef8d33469f97c3965a8808cf509fdf5a464da8e0e59a5609

Analysis

max time kernel
25s
max time network
17s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-05-2024 23:47

Target

Downloadsssr.exe
Size

17.8MB
MD5

1f56c79fc36f359f67aaf948d1f51686
SHA1

9331b7591a0825a53a8b2a9fd21dfa67f9bc1458
SHA256

172122a22a15c01bef8d33469f97c3965a8808cf509fdf5a464da8e0e59a5609
SHA512

720af8735628c2a08dbfd06f10faa39143b7442d88504a5c793267b002fe6d6c9406e9f149eb20ac0fe476833d64951d1148f789162b440d27b1b471d8e25281
SSDEEP

393216:aCbhCFzZ4DhdwEWPbyoI2eHNDTPGDlp+MN7SF5x/o:VCFzS7EP2/ADlp+MpK5lo

Score

1^/10

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2868	Downloadsssr.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2868	Downloadsssr.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2464	2868	Downloadsssr.exe	29
PID 2868 wrote to memory of 2464	2868	Downloadsssr.exe	29
PID 2868 wrote to memory of 2464	2868	Downloadsssr.exe	29
PID 2868 wrote to memory of 3048	2868	Downloadsssr.exe	30
PID 2868 wrote to memory of 3048	2868	Downloadsssr.exe	30
PID 2868 wrote to memory of 3048	2868	Downloadsssr.exe	30
PID 2868 wrote to memory of 2500	2868	Downloadsssr.exe	31
PID 2868 wrote to memory of 2500	2868	Downloadsssr.exe	31
PID 2868 wrote to memory of 2500	2868	Downloadsssr.exe	31
PID 2500 wrote to memory of 2572	2500	cmd.exe	32
PID 2500 wrote to memory of 2572	2500	cmd.exe	32
PID 2500 wrote to memory of 2572	2500	cmd.exe	32
PID 2500 wrote to memory of 2588	2500	cmd.exe	33
PID 2500 wrote to memory of 2588	2500	cmd.exe	33
PID 2500 wrote to memory of 2588	2500	cmd.exe	33
PID 2500 wrote to memory of 2592	2500	cmd.exe	34
PID 2500 wrote to memory of 2592	2500	cmd.exe	34
PID 2500 wrote to memory of 2592	2500	cmd.exe	34
PID 2868 wrote to memory of 2672	2868	Downloadsssr.exe	35
PID 2868 wrote to memory of 2672	2868	Downloadsssr.exe	35
PID 2868 wrote to memory of 2672	2868	Downloadsssr.exe	35

C:\Users\Admin\AppData\Local\Temp\Downloadsssr.exe
"C:\Users\Admin\AppData\Local\Temp\Downloadsssr.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color e
  2⤵
  PID:3048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Downloadsssr.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Downloadsssr.exe" MD5
    3⤵
    PID:2572
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:2588
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:2592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2672

memory/2868-0-0x0000000077640000-0x0000000077642000-memory.dmp

Filesize
8KB

Download
memory/2868-2-0x0000000077640000-0x0000000077642000-memory.dmp

Filesize
8KB

Download
memory/2868-4-0x0000000077640000-0x0000000077642000-memory.dmp

Filesize
8KB

Download
memory/2868-5-0x000000013F470000-0x000000014134F000-memory.dmp

Filesize
30.9MB

Download
memory/2868-9-0x000000013F644000-0x0000000140174000-memory.dmp

Filesize
11.2MB

Download
memory/2868-10-0x000000013F470000-0x000000014134F000-memory.dmp

Filesize
30.9MB

Download
memory/2868-13-0x000000013F470000-0x000000014134F000-memory.dmp

Filesize
30.9MB

Download
memory/2868-14-0x000000013F470000-0x000000014134F000-memory.dmp

Filesize
30.9MB

Download