3b9f2230d13b0cbb9782f635b3b20cba0d5a5f7a65daadb1d10238fee793b19f

Analysis

max time kernel
143s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 20:38

Target

3b9f2230d13b0cbb9782f635b3b20cba0d5a5f7a65daadb1d10238fee793b19f.exe
Size

61KB
MD5

1ac3523dbf5ee1a9851bccaab09ce5d1
SHA1

e3365250cbded8302a27b968154b9fc880393fee
SHA256

3b9f2230d13b0cbb9782f635b3b20cba0d5a5f7a65daadb1d10238fee793b19f
SHA512

3433f337492d2802d6d84fb68df5cce31dd3d5cb24748047acfa3b8fde3938cf91bbed70a128245ee0c880fbef54dffa3a3028dc4ed2e2c126fa45ddb21cb7df
SSDEEP

768:neJIvFKPZo2smEasjcj29NWngAHxcwKppEaxglaX5uA:nQIvEPZo6Ead29NQgA2wzle5

Score

7^/10

Executes dropped EXE 3 IoCs

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\viesazm.mpk	ewiuer2.exe
File created	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\viesazm.mpk	ewiuer2.exe
File created	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 1008	640	3b9f2230d13b0cbb9782f635b3b20cba0d5a5f7a65daadb1d10238fee793b19f.exe	83
PID 640 wrote to memory of 1008	640	3b9f2230d13b0cbb9782f635b3b20cba0d5a5f7a65daadb1d10238fee793b19f.exe	83
PID 640 wrote to memory of 1008	640	3b9f2230d13b0cbb9782f635b3b20cba0d5a5f7a65daadb1d10238fee793b19f.exe	83
PID 1008 wrote to memory of 4944	1008	ewiuer2.exe	100
PID 1008 wrote to memory of 4944	1008	ewiuer2.exe	100
PID 1008 wrote to memory of 4944	1008	ewiuer2.exe	100
PID 4944 wrote to memory of 3516	4944	ewiuer2.exe	104
PID 4944 wrote to memory of 3516	4944	ewiuer2.exe	104
PID 4944 wrote to memory of 3516	4944	ewiuer2.exe	104

C:\Users\Admin\AppData\Local\Temp\3b9f2230d13b0cbb9782f635b3b20cba0d5a5f7a65daadb1d10238fee793b19f.exe
"C:\Users\Admin\AppData\Local\Temp\3b9f2230d13b0cbb9782f635b3b20cba0d5a5f7a65daadb1d10238fee793b19f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:640
- C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Windows\SysWOW64\ewiuer2.exe
    C:\Windows\System32\ewiuer2.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Windows\SysWOW64\ewiuer2.exe
      C:\Windows\SysWOW64\ewiuer2.exe /nomove
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:3516

C:\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
61KB

MD5
6e6b5fa41ce9d9947c74cb30ada2149f

SHA1
66918c134650f63818c5f9e1ebcf83a8ba081fde

SHA256
b52f5fb71250ad07aaa0872395dfe95973f99443d3e566b5e84f4fe5511615f1

SHA512
c9a7bf980b91108b6063d50e593f598289e8d9b26dfb5d25b2e78101b13f2efe3b56d76aec75318c5b03cacc129b7300dba16bd1c3e84b2cd826c305eadbe52a

Download Submit
C:\Windows\SysWOW64\ewiuer2.exe

Filesize
61KB

MD5
b2d578eb1aef3571dd8e6ad881ee2b7c

SHA1
57c2a316f548783e42fc91a7288b50a1255e89f2

SHA256
48f306b52a27d7d2e9d5eaf5562e17982c4f539457cf2693084bec9822482941

SHA512
cf28ae9520cf9e0b925c0a74a57554f243db755b2300825401347c444f9243c941ba973473517fe938221c71b9991dddddf29cee6dcd3ee203a63fe07fe68df7

Download Submit