982ca06b16a7e3f3ff43bbf537791d7e192bb18182513e497b68cd90a8836d69

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
21-09-2022 04:38

Target

982ca06b16a7e3f3ff43bbf537791d7e192bb18182513e497b68cd90a8836d69.exe
Size

377KB
MD5

bf23d986655ed3e972080eb248ca8dba
SHA1

abdf08009dc49e0c7886701ce5568d54ae7596c7
SHA256

982ca06b16a7e3f3ff43bbf537791d7e192bb18182513e497b68cd90a8836d69
SHA512

a107c7f703e8943efd1a10f8904a71e219761c8e2423a5f5784011d2b7b60bf2cf76fdde2c60bda35c710e9dc59e882b352c7418d5227a731e466556fae61503
SSDEEP

6144:j+ssXv5jUA2OpjesAOfoTb+v+90TveVBciZnbCUxP4C9tgf/AN1LtdReCBJJKKrz:ZOv5jKhsfoPA+yeVKUCUxP4C902bdRtX

Score

8^/10

upx

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1064-58-0x0000000000400000-0x00000000004EE000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1064-58-0x0000000000400000-0x00000000004EE000-memory.dmp	autoit_exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 1744	1064	982ca06b16a7e3f3ff43bbf537791d7e192bb18182513e497b68cd90a8836d69.exe	27
PID 1064 wrote to memory of 1744	1064	982ca06b16a7e3f3ff43bbf537791d7e192bb18182513e497b68cd90a8836d69.exe	27
PID 1064 wrote to memory of 1744	1064	982ca06b16a7e3f3ff43bbf537791d7e192bb18182513e497b68cd90a8836d69.exe	27
PID 1064 wrote to memory of 1744	1064	982ca06b16a7e3f3ff43bbf537791d7e192bb18182513e497b68cd90a8836d69.exe	27
PID 1744 wrote to memory of 1832	1744	cmd.exe	29
PID 1744 wrote to memory of 1832	1744	cmd.exe	29
PID 1744 wrote to memory of 1832	1744	cmd.exe	29
PID 1744 wrote to memory of 1832	1744	cmd.exe	29
PID 1832 wrote to memory of 1176	1832	net.exe	30
PID 1832 wrote to memory of 1176	1832	net.exe	30
PID 1832 wrote to memory of 1176	1832	net.exe	30
PID 1832 wrote to memory of 1176	1832	net.exe	30

C:\Users\Admin\AppData\Local\Temp\982ca06b16a7e3f3ff43bbf537791d7e192bb18182513e497b68cd90a8836d69.exe
"C:\Users\Admin\AppData\Local\Temp\982ca06b16a7e3f3ff43bbf537791d7e192bb18182513e497b68cd90a8836d69.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net user administrator /active:yes
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\net.exe
    net user administrator /active:yes
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1832
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user administrator /active:yes
      4⤵
      PID:1176

memory/1064-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1064-58-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download