ff3a3ca5694628a94686996d09265e755880e21b65ff9920b87559d9448e5a43

Analysis

max time kernel
142s
max time network
139s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 23:01

Target

Duplicata_29644.exe
Size

55KB
MD5

d1b0ea1f8a5f5aa158cba47c4a37ea37
SHA1

19a0087bd66a24f13005d973128123ac6ade6855
SHA256

1dd7179f4e247bec26e88c569c9c3446146752a32ea6aef254b1e236266e96ca
SHA512

40e5573548fe2560a6c6b9f5a8807ef3d98bd62e848a97e4c4b6dc5bccb486361ca4222626905f92206481dc786b5a8cd830ae85bc125191d4343f2d5b327280
SSDEEP

1536:b1q04Q2yqs6JlaN8drqX8mqSmumJX5kMd2OxyltZx:q7ysJDdun7mumJX5kMsOxyltZx

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
1228	bling.exe

Loads dropped DLL 2 IoCs

pid	Process
2880	CMD.exe
2880	CMD.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 2924	1180	Duplicata_29644.exe	28
PID 1180 wrote to memory of 2924	1180	Duplicata_29644.exe	28
PID 1180 wrote to memory of 2924	1180	Duplicata_29644.exe	28
PID 1180 wrote to memory of 2924	1180	Duplicata_29644.exe	28
PID 1180 wrote to memory of 2880	1180	Duplicata_29644.exe	30
PID 1180 wrote to memory of 2880	1180	Duplicata_29644.exe	30
PID 1180 wrote to memory of 2880	1180	Duplicata_29644.exe	30
PID 1180 wrote to memory of 2880	1180	Duplicata_29644.exe	30
PID 2880 wrote to memory of 1228	2880	CMD.exe	32
PID 2880 wrote to memory of 1228	2880	CMD.exe	32
PID 2880 wrote to memory of 1228	2880	CMD.exe	32
PID 2880 wrote to memory of 1228	2880	CMD.exe	32

C:\Users\Admin\AppData\Local\Temp\Duplicata_29644.exe
"C:\Users\Admin\AppData\Local\Temp\Duplicata_29644.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\SysWOW64\CMD.exe
  CMD /C Copy C:\Users\Admin\AppData\Local\Temp\DUPLIC~1.EXE C:\Users\Admin\AppData\Local\Temp\bling.exe
  2⤵
  PID:2924
- C:\Windows\SysWOW64\CMD.exe
  CMD /C Start C:\Users\Admin\AppData\Local\Temp\bling.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Users\Admin\AppData\Local\Temp\bling.exe
    C:\Users\Admin\AppData\Local\Temp\bling.exe
    3⤵
    - Executes dropped EXE
    PID:1228

\Users\Admin\AppData\Local\Temp\bling.exe

Filesize
55KB

MD5
d1b0ea1f8a5f5aa158cba47c4a37ea37

SHA1
19a0087bd66a24f13005d973128123ac6ade6855

SHA256
1dd7179f4e247bec26e88c569c9c3446146752a32ea6aef254b1e236266e96ca

SHA512
40e5573548fe2560a6c6b9f5a8807ef3d98bd62e848a97e4c4b6dc5bccb486361ca4222626905f92206481dc786b5a8cd830ae85bc125191d4343f2d5b327280

Download Submit
memory/1180-6-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1228-7-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1228-11-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1228-15-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1228-19-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download