34d49b84b39668e6bae0b8d31c1954687e8693d60bccbeb996550bf26478af1d

Analysis

max time kernel
14s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 17:44

Target

f6a8685f7425892be2bbb3693c9cc2d0N.exe
Size

208KB
MD5

f6a8685f7425892be2bbb3693c9cc2d0
SHA1

84fe73492bc8a14490ff877d3a7668649ae031b2
SHA256

34d49b84b39668e6bae0b8d31c1954687e8693d60bccbeb996550bf26478af1d
SHA512

6cd756c731f9c86e57f46c959d26b1087eff2e95868057a2e57b0b0af599ed2b343b808fc0b2c0dc748d53f33abe07acb749e65bd9b7cb35867f38f5f3b3a7b5
SSDEEP

3072:egCB7gtsywfq4QlpmX3rw3q+i4NJ/ovWiLUXzPbEpLKYdP44NLthEjQT6:eg6g/wfelITZ89ovWiIjPbEpLKBQEj

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
1968	YQZIJ.exe

Loads dropped DLL 2 IoCs

pid	Process
2040	cmd.exe
2040	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\YQZIJ.exe	f6a8685f7425892be2bbb3693c9cc2d0N.exe
File opened for modification	C:\windows\SysWOW64\YQZIJ.exe	f6a8685f7425892be2bbb3693c9cc2d0N.exe
File created	C:\windows\SysWOW64\YQZIJ.exe.bat	f6a8685f7425892be2bbb3693c9cc2d0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1244	f6a8685f7425892be2bbb3693c9cc2d0N.exe
1968	YQZIJ.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2040	1244	f6a8685f7425892be2bbb3693c9cc2d0N.exe	30
PID 1244 wrote to memory of 2040	1244	f6a8685f7425892be2bbb3693c9cc2d0N.exe	30
PID 1244 wrote to memory of 2040	1244	f6a8685f7425892be2bbb3693c9cc2d0N.exe	30
PID 1244 wrote to memory of 2040	1244	f6a8685f7425892be2bbb3693c9cc2d0N.exe	30
PID 2040 wrote to memory of 1968	2040	cmd.exe	32
PID 2040 wrote to memory of 1968	2040	cmd.exe	32
PID 2040 wrote to memory of 1968	2040	cmd.exe	32
PID 2040 wrote to memory of 1968	2040	cmd.exe	32

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\SysWOW64\YQZIJ.exe.bat

Filesize
74B

MD5
23a4b21e72c087fa06a410042f92bae3

SHA1
c770fc5a41e31080c739ae7307002ed06d2ea5a8

SHA256
3ee46f423be2cf9a394648beb457d223dec4635208b9475a111ab88e4e479556

SHA512
4b354f766194b892ee64fa3538d0d8467ebd69d2126f200f2294d13bf178020b8577a264657e56678439e58a8dc0ef7a4b7631a1196076734fa2d86f15984b4a

Download Submit
\Windows\SysWOW64\YQZIJ.exe

Filesize
208KB

MD5
3354454317b99aad5f1f9f1d25a56673

SHA1
dccf02e40b16b1b1a51043f9a24abe48b7a8a3a1

SHA256
bc03841d2a05c2cb77bffe6d3a14d7d2917674cfa0c5d953e6000d193f28e25c

SHA512
f4a6885f78183a8a1813ec72915b24500c1843b880a688c2e8d35b0330ac8e76a30a16054b6c2a16a84234f85f57ed87c42f82be52daf237de72d3fffc6af9d2

Download Submit
memory/1244-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1244-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1968-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1968-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2040-16-0x00000000001D0000-0x0000000000208000-memory.dmp

Filesize
224KB

Download