446f1faa1a66639757107c27927e11255d267d8a01bc6f0e452307f61392d181

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 20:25

Target

jkhdkfjhkjh324j.exe
Size

5.6MB
MD5

db6dba6e2cd6fcb0f144e887d122cf55
SHA1

45a56a725b921abf7daca94330f3cd7d2ab46771
SHA256

446f1faa1a66639757107c27927e11255d267d8a01bc6f0e452307f61392d181
SHA512

abad91015a0d646df236787ba366bde18e3e6202a73fb919eba889a1bbed130bfe0c0535aa4c612a3ad475c0ec45675667c36d86100badbf372bea5873cb0636
SSDEEP

98304:0tHajn56+lz9P13VudzLIONoLtSvj6BAXvZYd/gWFgpkOnkXvt/8ASeWXfyc0J7o:0EjZlVgCtl2Oj2pkn/tEAXtDjq

Score

5^/10

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2728	jkhdkfjhkjh324j.exe
2728	jkhdkfjhkjh324j.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2292	2728	jkhdkfjhkjh324j.exe	31
PID 2728 wrote to memory of 2292	2728	jkhdkfjhkjh324j.exe	31
PID 2728 wrote to memory of 2292	2728	jkhdkfjhkjh324j.exe	31
PID 2292 wrote to memory of 2744	2292	cmd.exe	32
PID 2292 wrote to memory of 2744	2292	cmd.exe	32
PID 2292 wrote to memory of 2744	2292	cmd.exe	32
PID 2292 wrote to memory of 2752	2292	cmd.exe	33
PID 2292 wrote to memory of 2752	2292	cmd.exe	33
PID 2292 wrote to memory of 2752	2292	cmd.exe	33
PID 2292 wrote to memory of 2332	2292	cmd.exe	34
PID 2292 wrote to memory of 2332	2292	cmd.exe	34
PID 2292 wrote to memory of 2332	2292	cmd.exe	34
PID 2728 wrote to memory of 2640	2728	jkhdkfjhkjh324j.exe	35
PID 2728 wrote to memory of 2640	2728	jkhdkfjhkjh324j.exe	35
PID 2728 wrote to memory of 2640	2728	jkhdkfjhkjh324j.exe	35

C:\Users\Admin\AppData\Local\Temp\jkhdkfjhkjh324j.exe
"C:\Users\Admin\AppData\Local\Temp\jkhdkfjhkjh324j.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\jkhdkfjhkjh324j.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\jkhdkfjhkjh324j.exe" MD5
    3⤵
    PID:2744
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:2752
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:2332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:2640

memory/2728-4-0x00000000773E0000-0x00000000773E2000-memory.dmp

Filesize
8KB

Download
memory/2728-2-0x00000000773E0000-0x00000000773E2000-memory.dmp

Filesize
8KB

Download
memory/2728-0-0x00000000773E0000-0x00000000773E2000-memory.dmp

Filesize
8KB

Download
memory/2728-5-0x000000013FD30000-0x000000014070C000-memory.dmp

Filesize
9.9MB

Download
memory/2728-7-0x000000013FDC9000-0x000000014016C000-memory.dmp

Filesize
3.6MB

Download
memory/2728-10-0x000000013FDC9000-0x000000014016C000-memory.dmp

Filesize
3.6MB

Download
memory/2728-11-0x000000013FD30000-0x000000014070C000-memory.dmp

Filesize
9.9MB

Download