7dec3a7d227fe3fb68b3d4b3452efe38bc4200fc9a4ded31d0c32c0103e8b4eb

Analysis

max time kernel
116s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 22:04

Target

7dec3a7d227fe3fb68b3d4b3452efe38bc4200fc9a4ded31d0c32c0103e8b4eb.exe
Size

4.6MB
MD5

ff78a2628cc296e62e4cce94d6e4253e
SHA1

ad83c4938977b6c78029c5fcbd097ba3fa643761
SHA256

7dec3a7d227fe3fb68b3d4b3452efe38bc4200fc9a4ded31d0c32c0103e8b4eb
SHA512

8d1b9b0cc2dce8c7a840195fe7bdfa8dc6bb46a36754c31e9d4020497ac231daf638ce4d915756c30dc43b886f4d5c1247374b1f9bb0d538c4e29ea55168a25c
SSDEEP

98304:MPjJCFCkGpsGg/bir1/rIGR/bir1/r6/bir1/r:8JWCm/bir1/rx/bir1/r6/bir1/r

Score

8^/10

upx

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/2120-132-0x0000000000400000-0x00000000008A0000-memory.dmp	upx
behavioral2/memory/2120-135-0x0000000000400000-0x00000000008A0000-memory.dmp	upx

Kills process with taskkill 1 IoCs

evasion

pid	Process
4772	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4772	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2120	7dec3a7d227fe3fb68b3d4b3452efe38bc4200fc9a4ded31d0c32c0103e8b4eb.exe
2120	7dec3a7d227fe3fb68b3d4b3452efe38bc4200fc9a4ded31d0c32c0103e8b4eb.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 5068	2120	7dec3a7d227fe3fb68b3d4b3452efe38bc4200fc9a4ded31d0c32c0103e8b4eb.exe	80
PID 2120 wrote to memory of 5068	2120	7dec3a7d227fe3fb68b3d4b3452efe38bc4200fc9a4ded31d0c32c0103e8b4eb.exe	80
PID 2120 wrote to memory of 5068	2120	7dec3a7d227fe3fb68b3d4b3452efe38bc4200fc9a4ded31d0c32c0103e8b4eb.exe	80
PID 2120 wrote to memory of 3868	2120	7dec3a7d227fe3fb68b3d4b3452efe38bc4200fc9a4ded31d0c32c0103e8b4eb.exe	81
PID 2120 wrote to memory of 3868	2120	7dec3a7d227fe3fb68b3d4b3452efe38bc4200fc9a4ded31d0c32c0103e8b4eb.exe	81
PID 2120 wrote to memory of 3868	2120	7dec3a7d227fe3fb68b3d4b3452efe38bc4200fc9a4ded31d0c32c0103e8b4eb.exe	81
PID 5068 wrote to memory of 4772	5068	cmd.exe	84
PID 5068 wrote to memory of 4772	5068	cmd.exe	84
PID 5068 wrote to memory of 4772	5068	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\7dec3a7d227fe3fb68b3d4b3452efe38bc4200fc9a4ded31d0c32c0103e8b4eb.exe
"C:\Users\Admin\AppData\Local\Temp\7dec3a7d227fe3fb68b3d4b3452efe38bc4200fc9a4ded31d0c32c0103e8b4eb.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im QQ.exe /t
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im QQ.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4772
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c del 7dec3a7d227fe3fb68b3d4b3452efe38bc4200fc9a4ded31d0c32c0103e8b4eb.exe
  2⤵
  PID:3868

memory/2120-132-0x0000000000400000-0x00000000008A0000-memory.dmp

Filesize
4.6MB

Download
memory/2120-135-0x0000000000400000-0x00000000008A0000-memory.dmp

Filesize
4.6MB

Download