23f29599976ef897652cb588b9b48252357e4ef081f26952a6b981a9d936e0dd

Analysis

max time kernel
41s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23f29599976ef897652cb588b9b48252357e4ef081f26952a6b981a9d936e0dd.exe
Size

71KB
MD5

6e6841298a67c1db4b205c8ac65a05c9
SHA1

1d14a5ce824bc4ab49160a556c41ba9a55f2cb1d
SHA256

23f29599976ef897652cb588b9b48252357e4ef081f26952a6b981a9d936e0dd
SHA512

a54babc148ec6009e3281309408600f849f739c668caf179b75d8344c46e5d6ffd122fce8d8b197092eb1fb20fb66625de6dcd32b41e159611cd6a0084a32493
SSDEEP

1536:ZL35sVLpeVavSJdo/RWPWDR3eiZ9R7A3CDHFD10cn:ZT5sBodpOvfR7UCD7vn

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\suchost.exe	23f29599976ef897652cb588b9b48252357e4ef081f26952a6b981a9d936e0dd.exe
File created	C:\Windows\SysWOW64\drivers\suchost.exe	23f29599976ef897652cb588b9b48252357e4ef081f26952a6b981a9d936e0dd.exe

Executes dropped EXE 1 IoCs

pid	Process
1648	suchost.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1572-55-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral1/files/0x000c0000000054a8-56.dat	upx
behavioral1/files/0x000c0000000054a8-57.dat	upx
behavioral1/files/0x000c0000000054a8-59.dat	upx
behavioral1/memory/1572-63-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral1/memory/1648-62-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral1/files/0x000c0000000054a8-61.dat	upx

Loads dropped DLL 2 IoCs

pid	Process
1572	23f29599976ef897652cb588b9b48252357e4ef081f26952a6b981a9d936e0dd.exe
1572	23f29599976ef897652cb588b9b48252357e4ef081f26952a6b981a9d936e0dd.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1572	23f29599976ef897652cb588b9b48252357e4ef081f26952a6b981a9d936e0dd.exe
1572	23f29599976ef897652cb588b9b48252357e4ef081f26952a6b981a9d936e0dd.exe
1572	23f29599976ef897652cb588b9b48252357e4ef081f26952a6b981a9d936e0dd.exe
1572	23f29599976ef897652cb588b9b48252357e4ef081f26952a6b981a9d936e0dd.exe
1572	23f29599976ef897652cb588b9b48252357e4ef081f26952a6b981a9d936e0dd.exe
1572	23f29599976ef897652cb588b9b48252357e4ef081f26952a6b981a9d936e0dd.exe
1648	suchost.exe
1648	suchost.exe
1648	suchost.exe
1648	suchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 1648	1572	23f29599976ef897652cb588b9b48252357e4ef081f26952a6b981a9d936e0dd.exe	27
PID 1572 wrote to memory of 1648	1572	23f29599976ef897652cb588b9b48252357e4ef081f26952a6b981a9d936e0dd.exe	27
PID 1572 wrote to memory of 1648	1572	23f29599976ef897652cb588b9b48252357e4ef081f26952a6b981a9d936e0dd.exe	27
PID 1572 wrote to memory of 1648	1572	23f29599976ef897652cb588b9b48252357e4ef081f26952a6b981a9d936e0dd.exe	27

C:\Users\Admin\AppData\Local\Temp\23f29599976ef897652cb588b9b48252357e4ef081f26952a6b981a9d936e0dd.exe
"C:\Users\Admin\AppData\Local\Temp\23f29599976ef897652cb588b9b48252357e4ef081f26952a6b981a9d936e0dd.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Windows\SysWOW64\drivers\suchost.exe
  C:\Windows\system32\drivers\suchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1648

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\drivers\suchost.exe

Filesize
71KB

MD5
6e6841298a67c1db4b205c8ac65a05c9

SHA1
1d14a5ce824bc4ab49160a556c41ba9a55f2cb1d

SHA256
23f29599976ef897652cb588b9b48252357e4ef081f26952a6b981a9d936e0dd

SHA512
a54babc148ec6009e3281309408600f849f739c668caf179b75d8344c46e5d6ffd122fce8d8b197092eb1fb20fb66625de6dcd32b41e159611cd6a0084a32493

Download Submit
C:\Windows\SysWOW64\drivers\suchost.exe

Filesize
71KB

MD5
6e6841298a67c1db4b205c8ac65a05c9

SHA1
1d14a5ce824bc4ab49160a556c41ba9a55f2cb1d

SHA256
23f29599976ef897652cb588b9b48252357e4ef081f26952a6b981a9d936e0dd

SHA512
a54babc148ec6009e3281309408600f849f739c668caf179b75d8344c46e5d6ffd122fce8d8b197092eb1fb20fb66625de6dcd32b41e159611cd6a0084a32493

Download Submit
\Windows\SysWOW64\drivers\suchost.exe

Filesize
71KB

MD5
6e6841298a67c1db4b205c8ac65a05c9

SHA1
1d14a5ce824bc4ab49160a556c41ba9a55f2cb1d

SHA256
23f29599976ef897652cb588b9b48252357e4ef081f26952a6b981a9d936e0dd

SHA512
a54babc148ec6009e3281309408600f849f739c668caf179b75d8344c46e5d6ffd122fce8d8b197092eb1fb20fb66625de6dcd32b41e159611cd6a0084a32493

Download Submit
\Windows\SysWOW64\drivers\suchost.exe

Filesize
71KB

MD5
6e6841298a67c1db4b205c8ac65a05c9

SHA1
1d14a5ce824bc4ab49160a556c41ba9a55f2cb1d

SHA256
23f29599976ef897652cb588b9b48252357e4ef081f26952a6b981a9d936e0dd

SHA512
a54babc148ec6009e3281309408600f849f739c668caf179b75d8344c46e5d6ffd122fce8d8b197092eb1fb20fb66625de6dcd32b41e159611cd6a0084a32493

Download Submit
memory/1572-54-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/1572-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1572-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1648-62-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download