3473ee3b3f397e327232a7ac61fed6a020859b522277d7e40cec26897405ae20

Analysis

max time kernel
43s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3473ee3b3f397e327232a7ac61fed6a020859b522277d7e40cec26897405ae20.exe
Size

215KB
MD5

64adea4ae9097efc47d4d366b572b640
SHA1

d2c99999f34da2c8356661079b309706523cbc1e
SHA256

3473ee3b3f397e327232a7ac61fed6a020859b522277d7e40cec26897405ae20
SHA512

7831c9c6a106f49661951273fd0db21e9447b2f74a28d144d89c5caaad2bee46dc821b9602c29cbdf7dc300b487e4bd6d47a83bb2556105c47f92d2e3338c166
SSDEEP

3072:PDCuZBU4kQZbXQRH2mlj7ud7s01DIYP/E55mzEqWHayyuxtgJI:PDCp45Zb2WW6dY0JIYP/E55mzE

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2032	windows.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000005c51-56.dat	upx
behavioral1/memory/1228-57-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/files/0x000a000000005c51-59.dat	upx
behavioral1/memory/2032-61-0x0000000040010000-0x000000004004C000-memory.dmp	upx
behavioral1/memory/2032-64-0x0000000000400000-0x0000000000438000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\windows.exe	3473ee3b3f397e327232a7ac61fed6a020859b522277d7e40cec26897405ae20.exe
File created	C:\Windows\windows.exe	windows.exe
File created	C:\Windows\windows.exe	3473ee3b3f397e327232a7ac61fed6a020859b522277d7e40cec26897405ae20.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 2032	1228	3473ee3b3f397e327232a7ac61fed6a020859b522277d7e40cec26897405ae20.exe	27
PID 1228 wrote to memory of 2032	1228	3473ee3b3f397e327232a7ac61fed6a020859b522277d7e40cec26897405ae20.exe	27
PID 1228 wrote to memory of 2032	1228	3473ee3b3f397e327232a7ac61fed6a020859b522277d7e40cec26897405ae20.exe	27
PID 1228 wrote to memory of 2032	1228	3473ee3b3f397e327232a7ac61fed6a020859b522277d7e40cec26897405ae20.exe	27
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28
PID 2032 wrote to memory of 948	2032	windows.exe	28

C:\Users\Admin\AppData\Local\Temp\3473ee3b3f397e327232a7ac61fed6a020859b522277d7e40cec26897405ae20.exe
"C:\Users\Admin\AppData\Local\Temp\3473ee3b3f397e327232a7ac61fed6a020859b522277d7e40cec26897405ae20.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\windows.exe
  -bs
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\windows.exe

Filesize
215KB

MD5
64adea4ae9097efc47d4d366b572b640

SHA1
d2c99999f34da2c8356661079b309706523cbc1e

SHA256
3473ee3b3f397e327232a7ac61fed6a020859b522277d7e40cec26897405ae20

SHA512
7831c9c6a106f49661951273fd0db21e9447b2f74a28d144d89c5caaad2bee46dc821b9602c29cbdf7dc300b487e4bd6d47a83bb2556105c47f92d2e3338c166

Download Submit
C:\Windows\windows.exe

Filesize
215KB

MD5
64adea4ae9097efc47d4d366b572b640

SHA1
d2c99999f34da2c8356661079b309706523cbc1e

SHA256
3473ee3b3f397e327232a7ac61fed6a020859b522277d7e40cec26897405ae20

SHA512
7831c9c6a106f49661951273fd0db21e9447b2f74a28d144d89c5caaad2bee46dc821b9602c29cbdf7dc300b487e4bd6d47a83bb2556105c47f92d2e3338c166

Download Submit
memory/1228-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1228-57-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2032-61-0x0000000040010000-0x000000004004C000-memory.dmp

Filesize
240KB

Download
memory/2032-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download