cc0b07ebe75b6859111488738262fcbd1a35e6f43c155f7a1a671dafb07afbc2

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 15:20

Target

cc0b07ebe75b6859111488738262fcbd1a35e6f43c155f7a1a671dafb07afbc2.exe
Size

130KB
MD5

201b12cc9da0bb0a066dc101348e77f5
SHA1

23d87bdb576166c7557ff9dee2ad7d2d98e30744
SHA256

cc0b07ebe75b6859111488738262fcbd1a35e6f43c155f7a1a671dafb07afbc2
SHA512

d13389260325f220f8954536efbf431065ebd4e9fdb923096b0e9cb09891ec4651a26137cff241cc544c96bb692dab8f01bd5fcd3e31b211b1aa56a909bb0ffe
SSDEEP

768:8F57x2Cj+YBn8uRCPSjM6C1wZlcQCpDkNxWTcYpvVjzpyvxLAOupAuJU8pmaw5A0:8FRx2Re56c7HXWThpngxLAOup73w5Xy

Score

8^/10

upx

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1368-55-0x0000000031430000-0x0000000031463000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1696	1368	WerFault.exe	26

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1368	cc0b07ebe75b6859111488738262fcbd1a35e6f43c155f7a1a671dafb07afbc2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1368	cc0b07ebe75b6859111488738262fcbd1a35e6f43c155f7a1a671dafb07afbc2.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 1696	1368	cc0b07ebe75b6859111488738262fcbd1a35e6f43c155f7a1a671dafb07afbc2.exe	27
PID 1368 wrote to memory of 1696	1368	cc0b07ebe75b6859111488738262fcbd1a35e6f43c155f7a1a671dafb07afbc2.exe	27
PID 1368 wrote to memory of 1696	1368	cc0b07ebe75b6859111488738262fcbd1a35e6f43c155f7a1a671dafb07afbc2.exe	27
PID 1368 wrote to memory of 1696	1368	cc0b07ebe75b6859111488738262fcbd1a35e6f43c155f7a1a671dafb07afbc2.exe	27

C:\Users\Admin\AppData\Local\Temp\cc0b07ebe75b6859111488738262fcbd1a35e6f43c155f7a1a671dafb07afbc2.exe
"C:\Users\Admin\AppData\Local\Temp\cc0b07ebe75b6859111488738262fcbd1a35e6f43c155f7a1a671dafb07afbc2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 112
  2⤵
  - Program crash
  PID:1696

memory/1368-55-0x0000000031430000-0x0000000031463000-memory.dmp

Filesize
204KB

Download