8648d5d6f101af1fd8071a7c08c82f0d7914f1a7cfb61eb60c3c031b9551ddfc

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 02:25

Target

8648d5d6f101af1fd8071a7c08c82f0d7914f1a7cfb61eb60c3c031b9551ddfc.exe
Size

79KB
MD5

0c5a422c4c7adb1bbdaf7e36a5ea6b8a
SHA1

2827470059625a2f8ddf3842f1518c2b41530563
SHA256

8648d5d6f101af1fd8071a7c08c82f0d7914f1a7cfb61eb60c3c031b9551ddfc
SHA512

f116fc650988eec478ce639749061f968690b9c15163ba61546b0c7f14a71b1b8ec4216cd3bf7a3dc470b61d0955b228029510bd4bf4345b9fdec118fe7195c2
SSDEEP

1536:zvJudrqrpLekL5OQA8AkqUhMb2nuy5wgIP0CSJ+5y5B8GMGlZ5G:zvJu0rpLXUGdqU7uy5w9WMy5N5G

Score

7^/10

Executes dropped EXE 1 IoCs

Processes:

[email protected]

pid process

2044 [email protected]
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2736 cmd.exe
2736 cmd.exe

pid	process
2044	[email protected]

pid	process
2736	cmd.exe
2736	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

8648d5d6f101af1fd8071a7c08c82f0d7914f1a7cfb61eb60c3c031b9551ddfc.execmd.exe

description	pid	process	target process
PID 2964 wrote to memory of 2736	2964	8648d5d6f101af1fd8071a7c08c82f0d7914f1a7cfb61eb60c3c031b9551ddfc.exe	cmd.exe
PID 2964 wrote to memory of 2736	2964	8648d5d6f101af1fd8071a7c08c82f0d7914f1a7cfb61eb60c3c031b9551ddfc.exe	cmd.exe
PID 2964 wrote to memory of 2736	2964	8648d5d6f101af1fd8071a7c08c82f0d7914f1a7cfb61eb60c3c031b9551ddfc.exe	cmd.exe
PID 2964 wrote to memory of 2736	2964	8648d5d6f101af1fd8071a7c08c82f0d7914f1a7cfb61eb60c3c031b9551ddfc.exe	cmd.exe
PID 2736 wrote to memory of 2044	2736	cmd.exe	[email protected]
PID 2736 wrote to memory of 2044	2736	cmd.exe	[email protected]
PID 2736 wrote to memory of 2044	2736	cmd.exe	[email protected]
PID 2736 wrote to memory of 2044	2736	cmd.exe	[email protected]

C:\Users\Admin\AppData\Local\Temp\8648d5d6f101af1fd8071a7c08c82f0d7914f1a7cfb61eb60c3c031b9551ddfc.exe
"C:\Users\Admin\AppData\Local\Temp\8648d5d6f101af1fd8071a7c08c82f0d7914f1a7cfb61eb60c3c031b9551ddfc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    PID:2044

\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
79KB

MD5
012c5f65a12d723246a7b2ba9ab460c4

SHA1
4b185b17e1c0e25d2506592016d3ca6b1f804073

SHA256
18d7f5b8e4ff6a8a9671b7e62eefcd6a1c7b7857535a809fa87093b0ed8c92de

SHA512
7844b6ac896a35d4f449f4fee39faf75479d2052ab202cec01f3dbd5632edef9fb94db69930af3278863ceb0a322bdf0d8730a9bfbaca3fafb9963738190eea1

Download Submit
memory/2044-7-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2964-8-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download