bbf48e9e6efde3b96dcac6b37318a8b7c78924e5211283ff23787b1b76f2f9d2

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
20/05/2024, 02:10

Target

bbf48e9e6efde3b96dcac6b37318a8b7c78924e5211283ff23787b1b76f2f9d2.exe
Size

94KB
MD5

3568eb4c82f3892e5df1557b21ab4fef
SHA1

e45b568a39d7c95236197849145284bbced7c7e3
SHA256

bbf48e9e6efde3b96dcac6b37318a8b7c78924e5211283ff23787b1b76f2f9d2
SHA512

c1bd8b7932284bce63bd38861e9c3cc6b8d147eca7b878830ec220f1947f40356826cabce2095bdb8e7f9a6253d9b2b4a20fb81f6fa9d707ec439bb2ba8e59b3
SSDEEP

1536:Sdyql1M7wIIEuti7rEYivykYkpaWj0OL+G7mJAm/lGAuJMLF4vsnXWkW316:SdV1Z1i3QKqSGCJr/lkJ6FQsnR

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2580	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2860	sppsrv.exe

Loads dropped DLL 2 IoCs

pid	Process
2860	sppsrv.exe
2860	sppsrv.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xpwunp.dat	bbf48e9e6efde3b96dcac6b37318a8b7c78924e5211283ff23787b1b76f2f9d2.exe
File created	C:\Windows\SysWOW64\sppsrv.exe	bbf48e9e6efde3b96dcac6b37318a8b7c78924e5211283ff23787b1b76f2f9d2.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 2580	1200	bbf48e9e6efde3b96dcac6b37318a8b7c78924e5211283ff23787b1b76f2f9d2.exe	29
PID 1200 wrote to memory of 2580	1200	bbf48e9e6efde3b96dcac6b37318a8b7c78924e5211283ff23787b1b76f2f9d2.exe	29
PID 1200 wrote to memory of 2580	1200	bbf48e9e6efde3b96dcac6b37318a8b7c78924e5211283ff23787b1b76f2f9d2.exe	29
PID 1200 wrote to memory of 2580	1200	bbf48e9e6efde3b96dcac6b37318a8b7c78924e5211283ff23787b1b76f2f9d2.exe	29

C:\Users\Admin\AppData\Local\Temp\bbf48e9e6efde3b96dcac6b37318a8b7c78924e5211283ff23787b1b76f2f9d2.exe
"C:\Users\Admin\AppData\Local\Temp\bbf48e9e6efde3b96dcac6b37318a8b7c78924e5211283ff23787b1b76f2f9d2.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\_del.bat
  2⤵
  - Deletes itself
  PID:2580

C:\Users\Admin\AppData\Local\Temp\_del.bat

Filesize
294B

MD5
8b59813ec187595e99c410080b572d75

SHA1
87cd2fbaf69845684e867da1495d464218660142

SHA256
23da1d260f3b83e636c8ebeb93f5690e69da2fedc3bd46bcbb08a0c4f4d1e375

SHA512
336fd974c0e69bd3609427c4c6a91b5dada52ff3e334671278cd4f2938f25780121de5f371caad83dc9bdab463016d4f166bfe4a3116fe9e8b3e31b911c8a4bf

Download Submit
C:\Windows\SysWOW64\sppsrv.exe

Filesize
94KB

MD5
23fa915be400e995b709b92a07fcc420

SHA1
f62b247e630d40e46232a95dcf24a683b604b33a

SHA256
427c47035d6eda87b575cf9261469ac57194d5638c9fc5ca7ac991eeacd51a7c

SHA512
f8b3b6b684c55c3b2c550d9b5908b91aaa6061606526468280a449bf19e2260867e536d44f710f65dae7e0b99068b5d11ed851794b5cdc7c9646b1de2bf342ac

Download Submit
C:\Windows\SysWOW64\xpwunp.dat

Filesize
740B

MD5
7bf9244e0ad6fec857bf2b71bfd54290

SHA1
448da1889c7809ead1b7c4c886bf35bfb59d122f

SHA256
9b142699782d98b0da511862f635bcaaa144108398db16ab5e2aeaa630a8226c

SHA512
f210c59957f7934f3006cea43cb1b5f143516172f07263f63dddad481854427bd09268ab58122faf73efc49408cc4518a431a49512fc4e294c84c197efcef640

Download Submit