66b855ecb1a4c42c1c0424aa13ca1d34e12b0532fefa4a09f8ff5a0797f09200

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 00:06

Target

66b855ecb1a4c42c1c0424aa13ca1d34e12b0532fefa4a09f8ff5a0797f09200.exe
Size

79KB
MD5

ccfb8308b680fbde9012bb7ce4c14da9
SHA1

329b42103cf301ccb4733a95b789a046d1e4ba28
SHA256

66b855ecb1a4c42c1c0424aa13ca1d34e12b0532fefa4a09f8ff5a0797f09200
SHA512

9b0bfd038c3d1c65a7767c7d9cf7f5c968e6eeec492463a5d7ae83f53069e6ac58348cfbb1689bbaf9be3836fcda0e6d0d843e893f35f92826ded96e438e1771
SSDEEP

1536:zv3yCHpuHMR5KOQA8AkqUhMb2nuy5wgIP0CSJ+5yVB8GMGlZ5G:zvi0uHM3/GdqU7uy5w9WMyVN5G

Score

7^/10

Executes dropped EXE 1 IoCs

Processes:

[email protected]

pid process

2564 [email protected]
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2988 cmd.exe
2988 cmd.exe

pid	process
2564	[email protected]

pid	process
2988	cmd.exe
2988	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

66b855ecb1a4c42c1c0424aa13ca1d34e12b0532fefa4a09f8ff5a0797f09200.execmd.exe

description	pid	process	target process
PID 1576 wrote to memory of 2988	1576	66b855ecb1a4c42c1c0424aa13ca1d34e12b0532fefa4a09f8ff5a0797f09200.exe	cmd.exe
PID 1576 wrote to memory of 2988	1576	66b855ecb1a4c42c1c0424aa13ca1d34e12b0532fefa4a09f8ff5a0797f09200.exe	cmd.exe
PID 1576 wrote to memory of 2988	1576	66b855ecb1a4c42c1c0424aa13ca1d34e12b0532fefa4a09f8ff5a0797f09200.exe	cmd.exe
PID 1576 wrote to memory of 2988	1576	66b855ecb1a4c42c1c0424aa13ca1d34e12b0532fefa4a09f8ff5a0797f09200.exe	cmd.exe
PID 2988 wrote to memory of 2564	2988	cmd.exe	[email protected]
PID 2988 wrote to memory of 2564	2988	cmd.exe	[email protected]
PID 2988 wrote to memory of 2564	2988	cmd.exe	[email protected]
PID 2988 wrote to memory of 2564	2988	cmd.exe	[email protected]

C:\Users\Admin\AppData\Local\Temp\66b855ecb1a4c42c1c0424aa13ca1d34e12b0532fefa4a09f8ff5a0797f09200.exe
"C:\Users\Admin\AppData\Local\Temp\66b855ecb1a4c42c1c0424aa13ca1d34e12b0532fefa4a09f8ff5a0797f09200.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    PID:2564

\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
79KB

MD5
ce42df26c0d7b988958360abb6c841b1

SHA1
1f142feb3157b364ba59569eb0a567d2b7aea5be

SHA256
c10f03c15bb26bd660fb78f683bff7a16a7664eb24601e602aa8ceed656c5eb3

SHA512
89fe31df570ba19c68119a02903b603635ac6db3767ead6e5eecd77faae6a7ac4d4a2a4d56bb46e53f1f0dac280d052e348c8f452c10a905e08d4a02a30453ac

Download Submit
memory/1576-8-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2564-7-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download