570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2022 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe
Size

83KB
MD5

39dcf8ea627a41ea51504705a177b6d3
SHA1

1136a5f168767f7653f7ea880e67137c548b5dd7
SHA256

570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d
SHA512

6c25c1adec7852fa34e76e716f6b70d45673500c1e651b723bdeedd8a9b23376ac32133a61c238f12276d64bc5686535d591c351bf74e98eb18a51075e97ed12

Score

10^/10

suricata upx

Malware Config

Signatures

suricata: ET MALWARE Possible Kelihos.F EXE Download Common Structure
suricata: ET MALWARE Possible Kelihos.F EXE Download Common Structure
suricata

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/760-131-0x0000000000400000-0x0000000000784000-memory.dmp	upx
behavioral2/memory/760-134-0x0000000000400000-0x0000000000784000-memory.dmp	upx
behavioral2/memory/760-135-0x0000000000400000-0x0000000000784000-memory.dmp	upx
behavioral2/memory/760-136-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/760-137-0x0000000000400000-0x0000000000409000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe

description	pid	process	target process
PID 4892 set thread context of 760	4892	570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe	570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe

pid	process
4892	570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe
4892	570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe

pid process

4892 570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe

description	pid	process	target process
PID 4892 wrote to memory of 760	4892	570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe	570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe
PID 4892 wrote to memory of 760	4892	570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe	570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe
PID 4892 wrote to memory of 760	4892	570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe	570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe
PID 4892 wrote to memory of 760	4892	570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe	570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe
PID 4892 wrote to memory of 760	4892	570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe	570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe
PID 4892 wrote to memory of 760	4892	570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe	570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe
PID 4892 wrote to memory of 760	4892	570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe	570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe
PID 4892 wrote to memory of 760	4892	570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe	570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe
PID 4892 wrote to memory of 760	4892	570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe	570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe
PID 4892 wrote to memory of 760	4892	570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe	570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe
PID 4892 wrote to memory of 760	4892	570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe	570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe

C:\Users\Admin\AppData\Local\Temp\570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe
"C:\Users\Admin\AppData\Local\Temp\570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Users\Admin\AppData\Local\Temp\570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe
  C:\Users\Admin\AppData\Local\Temp\570321d979893375deffe324e302d88b9fa671a0c0e810543c3547bb7e1db71d.exe
  2⤵
  PID:760

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/760-130-0x0000000000000000-mapping.dmp

Download
memory/760-131-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/760-134-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/760-135-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/760-136-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/760-137-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4892-133-0x0000000000A50000-0x0000000000A55000-memory.dmp

Filesize
20KB

Download