a401c5367be0468f0124547e9e9ad2ddb96956c24f8a9e075276c92683a6c6db

Analysis

Target

a401c5367be0468f0124547e9e9ad2ddb96956c24f8a9e075276c92683a6c6db.exe
Size

2.8MB
MD5

2979d44a547daaf5bd726f5df9104923
SHA1

ab3a3e5344d72277edf6f2392df6af97c1f81085
SHA256

a401c5367be0468f0124547e9e9ad2ddb96956c24f8a9e075276c92683a6c6db
SHA512

58d2aa14734d3312dd40fde15c205f28a0f2af130fbc8ff97217afad8f3b5409ea27dbe0c3c561f0f0f1555f47a8faffd3d6962d2c57cac31b09a159f0395b34

Score

8^/10

upx

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral1/memory/1752-57-0x0000000000400000-0x0000000000AE1000-memory.dmp	upx
behavioral1/memory/1752-58-0x0000000000400000-0x0000000000AE1000-memory.dmp	upx

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

a401c5367be0468f0124547e9e9ad2ddb96956c24f8a9e075276c92683a6c6db.exe

description	pid	process	target process
PID 1752 wrote to memory of 1052	1752	a401c5367be0468f0124547e9e9ad2ddb96956c24f8a9e075276c92683a6c6db.exe	cmd.exe
PID 1752 wrote to memory of 1052	1752	a401c5367be0468f0124547e9e9ad2ddb96956c24f8a9e075276c92683a6c6db.exe	cmd.exe
PID 1752 wrote to memory of 1052	1752	a401c5367be0468f0124547e9e9ad2ddb96956c24f8a9e075276c92683a6c6db.exe	cmd.exe
PID 1752 wrote to memory of 1052	1752	a401c5367be0468f0124547e9e9ad2ddb96956c24f8a9e075276c92683a6c6db.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\a401c5367be0468f0124547e9e9ad2ddb96956c24f8a9e075276c92683a6c6db.exe
"C:\Users\Admin\AppData\Local\Temp\a401c5367be0468f0124547e9e9ad2ddb96956c24f8a9e075276c92683a6c6db.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\cmd.exe
cmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat
2⤵
- Drops startup file
PID:1052

C:\Users\Admin\AppData\Local\Temp\s.bat
Filesize
323B

MD5
92351b701992cccbfecfa4766c0a1498

SHA1
7d54031cee31bc62af53006b6b5d56b46eb7f0db

SHA256
c03557a13df98d50fc0761946351ec1485a64c7144ffaa542d9378ea1618b72e

SHA512
f767dc7b95d9b30ea525387bd631f1b2f07b90bfb5334767ecefafc9be5d197b55c29cd78da59ebbaec82ba1963fef3cd0a186c232975312e3f5840b496ca0e1

Download Submit
memory/1052-55-0x0000000000000000-mapping.dmp

Download
memory/1752-54-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/1752-57-0x0000000000400000-0x0000000000AE1000-memory.dmp

Filesize
6.9MB

Download
memory/1752-58-0x0000000000400000-0x0000000000AE1000-memory.dmp

Filesize
6.9MB

Download