7dec3a7d227fe3fb68b3d4b3452efe38bc4200fc9a4ded31d0c32c0103e8b4eb

Analysis

max time kernel
36s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 22:04

Target

7dec3a7d227fe3fb68b3d4b3452efe38bc4200fc9a4ded31d0c32c0103e8b4eb.exe
Size

4.6MB
MD5

ff78a2628cc296e62e4cce94d6e4253e
SHA1

ad83c4938977b6c78029c5fcbd097ba3fa643761
SHA256

7dec3a7d227fe3fb68b3d4b3452efe38bc4200fc9a4ded31d0c32c0103e8b4eb
SHA512

8d1b9b0cc2dce8c7a840195fe7bdfa8dc6bb46a36754c31e9d4020497ac231daf638ce4d915756c30dc43b886f4d5c1247374b1f9bb0d538c4e29ea55168a25c
SSDEEP

98304:MPjJCFCkGpsGg/bir1/rIGR/bir1/r6/bir1/r:8JWCm/bir1/rx/bir1/r6/bir1/r

Score

8^/10

upx

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1172-58-0x0000000000400000-0x00000000008A0000-memory.dmp	upx
behavioral1/memory/1172-59-0x0000000000400000-0x00000000008A0000-memory.dmp	upx

Kills process with taskkill 1 IoCs

evasion

pid	Process
1972	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1172	7dec3a7d227fe3fb68b3d4b3452efe38bc4200fc9a4ded31d0c32c0103e8b4eb.exe
1172	7dec3a7d227fe3fb68b3d4b3452efe38bc4200fc9a4ded31d0c32c0103e8b4eb.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 1020	1172	7dec3a7d227fe3fb68b3d4b3452efe38bc4200fc9a4ded31d0c32c0103e8b4eb.exe	27
PID 1172 wrote to memory of 1020	1172	7dec3a7d227fe3fb68b3d4b3452efe38bc4200fc9a4ded31d0c32c0103e8b4eb.exe	27
PID 1172 wrote to memory of 1020	1172	7dec3a7d227fe3fb68b3d4b3452efe38bc4200fc9a4ded31d0c32c0103e8b4eb.exe	27
PID 1172 wrote to memory of 1020	1172	7dec3a7d227fe3fb68b3d4b3452efe38bc4200fc9a4ded31d0c32c0103e8b4eb.exe	27
PID 1172 wrote to memory of 1992	1172	7dec3a7d227fe3fb68b3d4b3452efe38bc4200fc9a4ded31d0c32c0103e8b4eb.exe	28
PID 1172 wrote to memory of 1992	1172	7dec3a7d227fe3fb68b3d4b3452efe38bc4200fc9a4ded31d0c32c0103e8b4eb.exe	28
PID 1172 wrote to memory of 1992	1172	7dec3a7d227fe3fb68b3d4b3452efe38bc4200fc9a4ded31d0c32c0103e8b4eb.exe	28
PID 1172 wrote to memory of 1992	1172	7dec3a7d227fe3fb68b3d4b3452efe38bc4200fc9a4ded31d0c32c0103e8b4eb.exe	28
PID 1020 wrote to memory of 1972	1020	cmd.exe	31
PID 1020 wrote to memory of 1972	1020	cmd.exe	31
PID 1020 wrote to memory of 1972	1020	cmd.exe	31
PID 1020 wrote to memory of 1972	1020	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\7dec3a7d227fe3fb68b3d4b3452efe38bc4200fc9a4ded31d0c32c0103e8b4eb.exe
"C:\Users\Admin\AppData\Local\Temp\7dec3a7d227fe3fb68b3d4b3452efe38bc4200fc9a4ded31d0c32c0103e8b4eb.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im QQ.exe /t
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im QQ.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c del 7dec3a7d227fe3fb68b3d4b3452efe38bc4200fc9a4ded31d0c32c0103e8b4eb.exe
  2⤵
  PID:1992

memory/1172-54-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1172-58-0x0000000000400000-0x00000000008A0000-memory.dmp

Filesize
4.6MB

Download
memory/1172-59-0x0000000000400000-0x00000000008A0000-memory.dmp

Filesize
4.6MB

Download