3019d1bae063f131bd6923fb5b49816059ab42c79e9889a1c29d5d7400a7a9d3

Analysis

max time kernel
120s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 14:07

Target

dscomprovante.exe
Size

54KB
MD5

19186a7f0b1ef0e9f3bae129c17826cc
SHA1

dcdc63d1c2aa295616d355b55ac4827513bcadae
SHA256

beac1d50834328f098a2b051240923ac4652f5a75596d8ad537fa3ff5d45c8e1
SHA512

00414d01810015af66f54cacb21fc4b4f1c86f8328c1233484f304a7bbacd0fd029ea58b474effe3c861ccaa2f4edbaa04f4bc88222905f015782a230ee135e7
SSDEEP

1536:Y1qTXQOp6eGSC9ygcKrqnsFBjjsY7MZn1Q1Bx:dzp6euZcKusDjjsAMZn1Qx

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2016	crfrs.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1840	1932	dscomprovante.exe	84
PID 1932 wrote to memory of 1840	1932	dscomprovante.exe	84
PID 1932 wrote to memory of 1840	1932	dscomprovante.exe	84
PID 1932 wrote to memory of 3260	1932	dscomprovante.exe	89
PID 1932 wrote to memory of 3260	1932	dscomprovante.exe	89
PID 1932 wrote to memory of 3260	1932	dscomprovante.exe	89
PID 3260 wrote to memory of 2016	3260	CMD.exe	91
PID 3260 wrote to memory of 2016	3260	CMD.exe	91
PID 3260 wrote to memory of 2016	3260	CMD.exe	91
PID 2016 wrote to memory of 2704	2016	crfrs.exe	92
PID 2016 wrote to memory of 2704	2016	crfrs.exe	92
PID 2016 wrote to memory of 2704	2016	crfrs.exe	92
PID 2016 wrote to memory of 2412	2016	crfrs.exe	94
PID 2016 wrote to memory of 2412	2016	crfrs.exe	94
PID 2016 wrote to memory of 2412	2016	crfrs.exe	94

C:\Users\Admin\AppData\Local\Temp\dscomprovante.exe
"C:\Users\Admin\AppData\Local\Temp\dscomprovante.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\SysWOW64\CMD.exe
  CMD /C Copy C:\Users\Admin\AppData\Local\Temp\DSCOMP~1.EXE C:\Users\Admin\AppData\Local\Temp\crfrs.exe
  2⤵
  PID:1840
- C:\Windows\SysWOW64\CMD.exe
  CMD /C Start C:\Users\Admin\AppData\Local\Temp\crfrs.exe -start
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3260
- - C:\Users\Admin\AppData\Local\Temp\crfrs.exe
    C:\Users\Admin\AppData\Local\Temp\crfrs.exe -start
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C Start C:\Users\Admin\AppData\Local\3H5FAF~1\router1.exe -start
      4⤵
      PID:2704
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C Start C:\Users\Admin\AppData\Local\3H5FAF~1\nicha2.exe -start
      4⤵
      PID:2412

C:\Users\Admin\AppData\Local\3H5FAF~1\router1.exe

Filesize
1KB

MD5
9b6419564e2517bca5c02656ee34428a

SHA1
82fa924ab283fdced730a5a01980bc16038a4ebc

SHA256
7c3062f4433da04b86fb2a95156b3598d5e9e030494f9956755dcff563579a4a

SHA512
5d95f22c06e9685f3728cad4aec555c002e5ccffb9bead9930b77f852c996c2eb97f33f569950271393fdadb2e84e469ccf995e4743b0d5f6512741be9c2366b

Download Submit
C:\Users\Admin\AppData\Local\Temp\crfrs.exe

Filesize
54KB

MD5
19186a7f0b1ef0e9f3bae129c17826cc

SHA1
dcdc63d1c2aa295616d355b55ac4827513bcadae

SHA256
beac1d50834328f098a2b051240923ac4652f5a75596d8ad537fa3ff5d45c8e1

SHA512
00414d01810015af66f54cacb21fc4b4f1c86f8328c1233484f304a7bbacd0fd029ea58b474effe3c861ccaa2f4edbaa04f4bc88222905f015782a230ee135e7

Download Submit
memory/1932-16-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2016-14-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download