12d28e37196b365e8d7b650be1998e50fec6b4980cde5f0297037af89139e9be

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 12:52

Target

val0_club.exe
Size

12.9MB
MD5

dae263f006a7008321c5b9786421a734
SHA1

a161955aa40000a65e116c6cf4150ab605875c1e
SHA256

12d28e37196b365e8d7b650be1998e50fec6b4980cde5f0297037af89139e9be
SHA512

7018eab97b5d9e38b396a8c69d91409731c0d13e10290c2c9d1d68a8ae7a819c846033c23b190fc7c330feb6965b0093447324c71a41c4ba7b585460875a650e
SSDEEP

393216:k4sY/ZGLPjorqDF2qAK8oP89vDXMqd9h85ERbHNzkL:k4sY/yoeJGk85rMqdeERbHN

Score

5^/10

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4628	val0_club.exe
4628	val0_club.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4628	val0_club.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4628	val0_club.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 4540	4628	val0_club.exe	87
PID 4628 wrote to memory of 4540	4628	val0_club.exe	87
PID 4540 wrote to memory of 4804	4540	cmd.exe	88
PID 4540 wrote to memory of 4804	4540	cmd.exe	88
PID 4628 wrote to memory of 4788	4628	val0_club.exe	89
PID 4628 wrote to memory of 4788	4628	val0_club.exe	89
PID 4628 wrote to memory of 2864	4628	val0_club.exe	90
PID 4628 wrote to memory of 2864	4628	val0_club.exe	90
PID 4628 wrote to memory of 2560	4628	val0_club.exe	92
PID 4628 wrote to memory of 2560	4628	val0_club.exe	92

C:\Users\Admin\AppData\Local\Temp\val0_club.exe
"C:\Users\Admin\AppData\Local\Temp\val0_club.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c MODE CON COLS=60 LINES=6
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Windows\system32\mode.com
    MODE CON COLS=60 LINES=6
    3⤵
    PID:4804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:4788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:2864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:2560

memory/4628-0-0x00007FF780A04000-0x00007FF781197000-memory.dmp

Filesize
7.6MB

Download
memory/4628-2-0x00007FFFC1C00000-0x00007FFFC1C02000-memory.dmp

Filesize
8KB

Download
memory/4628-1-0x00007FFFC1BF0000-0x00007FFFC1BF2000-memory.dmp

Filesize
8KB

Download
memory/4628-7-0x00007FF780960000-0x00007FF781E76000-memory.dmp

Filesize
21.1MB

Download
memory/4628-11-0x00007FF780A04000-0x00007FF781197000-memory.dmp

Filesize
7.6MB

Download
memory/4628-10-0x00007FF780960000-0x00007FF781E76000-memory.dmp

Filesize
21.1MB

Download
memory/4628-13-0x00007FF780A04000-0x00007FF781197000-memory.dmp

Filesize
7.6MB

Download
memory/4628-14-0x00007FF780960000-0x00007FF781E76000-memory.dmp

Filesize
21.1MB

Download