f8b7a274aa5894d4549737e18688f0dc49bbdfccc0ebe5e7ad9eb2c6823d61d6

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 04:17

Target

f8b7a274aa5894d4549737e18688f0dc49bbdfccc0ebe5e7ad9eb2c6823d61d6.exe
Size

61KB
MD5

6993c1e0d5b5a87642090cfb6d4aa01c
SHA1

20c8a850739b80d873e9ad4e6c0614de9b4bffa6
SHA256

f8b7a274aa5894d4549737e18688f0dc49bbdfccc0ebe5e7ad9eb2c6823d61d6
SHA512

a912b233a3b6aad0703fe935b88177b7dc3cf1109ec8f3b253b189ef5e262c9d7b49469dfd0cf3adc340629040c0a85c35451e37c2f74457257f8f8e834b97fa
SSDEEP

768:AeJIvFKPZo2smEasjcj29NWngAHxcw9ppEaxglaX5uA:AQIvEPZo6Ead29NQgA2wQle5

Score

7^/10

Executes dropped EXE 3 IoCs

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\viesazm.mpk	ewiuer2.exe
File created	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\viesazm.mpk	ewiuer2.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 1560	1828	f8b7a274aa5894d4549737e18688f0dc49bbdfccc0ebe5e7ad9eb2c6823d61d6.exe	83
PID 1828 wrote to memory of 1560	1828	f8b7a274aa5894d4549737e18688f0dc49bbdfccc0ebe5e7ad9eb2c6823d61d6.exe	83
PID 1828 wrote to memory of 1560	1828	f8b7a274aa5894d4549737e18688f0dc49bbdfccc0ebe5e7ad9eb2c6823d61d6.exe	83
PID 1560 wrote to memory of 3264	1560	ewiuer2.exe	96
PID 1560 wrote to memory of 3264	1560	ewiuer2.exe	96
PID 1560 wrote to memory of 3264	1560	ewiuer2.exe	96
PID 3264 wrote to memory of 728	3264	ewiuer2.exe	97
PID 3264 wrote to memory of 728	3264	ewiuer2.exe	97
PID 3264 wrote to memory of 728	3264	ewiuer2.exe	97

C:\Users\Admin\AppData\Local\Temp\f8b7a274aa5894d4549737e18688f0dc49bbdfccc0ebe5e7ad9eb2c6823d61d6.exe
"C:\Users\Admin\AppData\Local\Temp\f8b7a274aa5894d4549737e18688f0dc49bbdfccc0ebe5e7ad9eb2c6823d61d6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\SysWOW64\ewiuer2.exe
    C:\Windows\System32\ewiuer2.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3264
  - - C:\Windows\SysWOW64\ewiuer2.exe
      C:\Windows\SysWOW64\ewiuer2.exe /nomove
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:728

C:\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
61KB

MD5
97b449fd3820dec2ff820aac155f2c42

SHA1
d64a27d7da497348307fed282ecfcaf19e731891

SHA256
ce225201a639581498f095ec440f2ac3155e5eba679bdc2fabbe9d89137ee145

SHA512
6e4c2cad3b64cd2d76a29278331c0fa8bbe4130988a2b75d8d1bff9c9b1367d29e8ef5ffbf85aae66a79e25d6d33a89e3b6f66ffcdd62656795a1eb0a90da383

Download Submit
C:\Windows\SysWOW64\ewiuer2.exe

Filesize
61KB

MD5
2bb212f1bd750d6c7ae7fdb33a710eb3

SHA1
4556091f8aeff5744aba95ebd3564c54a06de3be

SHA256
6d8fa1fce3a43300f26b74ba6dcfba018122cab5177f980ca292a462a824d2af

SHA512
50d062df365bc1f91947644b80560c737ca12eb3c10391c661f4175176306840afd240e57c28bc75a3ccb4508b00e005a2fa14fa60492f0d03276e62fbd14e5b

Download Submit