de7ff5195174a52c93910a240048774e2054b65c7ee3e0e3bbd2aa3ffd1f3f0f

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 01:27

Target

1390f79d49f1531e22c58003397600aa.exe
Size

49KB
MD5

1390f79d49f1531e22c58003397600aa
SHA1

856cb815dc91aafa7e8d572db2d0829bb5923abb
SHA256

de7ff5195174a52c93910a240048774e2054b65c7ee3e0e3bbd2aa3ffd1f3f0f
SHA512

21c5b91260fc8bb723010109d17ff73bf13f94f7492d46c0949a89180e863195d8b59e582918b5b1f587466b80c661c482a1088b38a59e7329253048da371dab
SSDEEP

768:2CRNI3kiCDsrCNPBILB8yTmpkMbQNtcSm4K2+XIeq0Vy84++3SoxDX1O7:a3kiCQUPBILB77MbQbm52eIn0DoVXq

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2932	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2516	ahwlynsh.exe

Loads dropped DLL 2 IoCs

pid	Process
2064	1390f79d49f1531e22c58003397600aa.exe
2064	1390f79d49f1531e22c58003397600aa.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2064	1390f79d49f1531e22c58003397600aa.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2516	2064	1390f79d49f1531e22c58003397600aa.exe	31
PID 2064 wrote to memory of 2516	2064	1390f79d49f1531e22c58003397600aa.exe	31
PID 2064 wrote to memory of 2516	2064	1390f79d49f1531e22c58003397600aa.exe	31
PID 2064 wrote to memory of 2516	2064	1390f79d49f1531e22c58003397600aa.exe	31
PID 2064 wrote to memory of 2932	2064	1390f79d49f1531e22c58003397600aa.exe	32
PID 2064 wrote to memory of 2932	2064	1390f79d49f1531e22c58003397600aa.exe	32
PID 2064 wrote to memory of 2932	2064	1390f79d49f1531e22c58003397600aa.exe	32
PID 2064 wrote to memory of 2932	2064	1390f79d49f1531e22c58003397600aa.exe	32

C:\Users\Admin\AppData\Local\Temp\1390f79d49f1531e22c58003397600aa.exe
"C:\Users\Admin\AppData\Local\Temp\1390f79d49f1531e22c58003397600aa.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2064
- C:\ProgramData\uvkvezwb\ahwlynsh.exe
  C:\ProgramData\uvkvezwb\ahwlynsh.exe
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\SysWOW64\cmd.exe
  /c del /f C:\Users\Admin\AppData\Local\Temp\1390F7~1.EXE.bak >> NUL
  2⤵
  - Deletes itself
  PID:2932

\ProgramData\uvkvezwb\ahwlynsh.exe

Filesize
49KB

MD5
1390f79d49f1531e22c58003397600aa

SHA1
856cb815dc91aafa7e8d572db2d0829bb5923abb

SHA256
de7ff5195174a52c93910a240048774e2054b65c7ee3e0e3bbd2aa3ffd1f3f0f

SHA512
21c5b91260fc8bb723010109d17ff73bf13f94f7492d46c0949a89180e863195d8b59e582918b5b1f587466b80c661c482a1088b38a59e7329253048da371dab

Download Submit
memory/2064-8-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download