172122a22a15c01bef8d33469f97c3965a8808cf509fdf5a464da8e0e59a5609

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 23:47

Target

Downloadsssr.exe
Size

17.8MB
MD5

1f56c79fc36f359f67aaf948d1f51686
SHA1

9331b7591a0825a53a8b2a9fd21dfa67f9bc1458
SHA256

172122a22a15c01bef8d33469f97c3965a8808cf509fdf5a464da8e0e59a5609
SHA512

720af8735628c2a08dbfd06f10faa39143b7442d88504a5c793267b002fe6d6c9406e9f149eb20ac0fe476833d64951d1148f789162b440d27b1b471d8e25281
SSDEEP

393216:aCbhCFzZ4DhdwEWPbyoI2eHNDTPGDlp+MN7SF5x/o:VCFzS7EP2/ADlp+MpK5lo

Score

1^/10

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1508	Downloadsssr.exe
1508	Downloadsssr.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1508	Downloadsssr.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 2772	1508	Downloadsssr.exe	81
PID 1508 wrote to memory of 2772	1508	Downloadsssr.exe	81
PID 1508 wrote to memory of 3496	1508	Downloadsssr.exe	82
PID 1508 wrote to memory of 3496	1508	Downloadsssr.exe	82
PID 1508 wrote to memory of 2964	1508	Downloadsssr.exe	83
PID 1508 wrote to memory of 2964	1508	Downloadsssr.exe	83
PID 2964 wrote to memory of 1772	2964	cmd.exe	84
PID 2964 wrote to memory of 1772	2964	cmd.exe	84
PID 2964 wrote to memory of 3504	2964	cmd.exe	85
PID 2964 wrote to memory of 3504	2964	cmd.exe	85
PID 2964 wrote to memory of 1956	2964	cmd.exe	86
PID 2964 wrote to memory of 1956	2964	cmd.exe	86
PID 1508 wrote to memory of 392	1508	Downloadsssr.exe	87
PID 1508 wrote to memory of 392	1508	Downloadsssr.exe	87

C:\Users\Admin\AppData\Local\Temp\Downloadsssr.exe
"C:\Users\Admin\AppData\Local\Temp\Downloadsssr.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color e
  2⤵
  PID:3496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Downloadsssr.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Downloadsssr.exe" MD5
    3⤵
    PID:1772
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:3504
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:1956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:392

memory/1508-0-0x00007FF8D01B0000-0x00007FF8D01B2000-memory.dmp

Filesize
8KB

Download
memory/1508-2-0x00007FF68B694000-0x00007FF68C1C4000-memory.dmp

Filesize
11.2MB

Download
memory/1508-1-0x00007FF68B4C0000-0x00007FF68D39F000-memory.dmp

Filesize
30.9MB

Download
memory/1508-6-0x00007FF68B4C0000-0x00007FF68D39F000-memory.dmp

Filesize
30.9MB

Download
memory/1508-9-0x00007FF68B4C0000-0x00007FF68D39F000-memory.dmp

Filesize
30.9MB

Download
memory/1508-11-0x00007FF68B694000-0x00007FF68C1C4000-memory.dmp

Filesize
11.2MB

Download