e2de578cc207a0866c80c889c53aa94358a7bb07418b9731c3f94a564eb7d914

Analysis

max time kernel
63s
max time network
78s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 19:40

Target

e2de578cc207a0866c80c889c53aa94358a7bb07418b9731c3f94a564eb7d914.exe
Size

754KB
MD5

b75f4b6f92fde130c694f264d4c8d403
SHA1

c0dd0dbcf20f3e85a7a00c4376b624f90ded9361
SHA256

e2de578cc207a0866c80c889c53aa94358a7bb07418b9731c3f94a564eb7d914
SHA512

d4711f7dcfecd1cfd67a4a35c7ab6b7a6fe19d921257d0722f25f535dd7693164ab33db9d9693b3c4ab7e747d6c2dad95f61fe702ab669e170968743d3c94ef2
SSDEEP

12288:iplHTKI+LJ6knFQ8LckSl4PDVMfpoLqLWvItSesv6+G:YBaJ6G/LckSl4PDKf3LCW86+G

Score

8^/10

upx

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/840-55-0x0000000000400000-0x000000000059A000-memory.dmp	upx
behavioral1/memory/840-56-0x0000000000400000-0x000000000059A000-memory.dmp	upx
behavioral1/memory/840-59-0x0000000000400000-0x000000000059A000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1856	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\DNomb\Mpec.mbt	e2de578cc207a0866c80c889c53aa94358a7bb07418b9731c3f94a564eb7d914.exe
File opened for modification	C:\Windows\DNomb\Mpec.mbt	e2de578cc207a0866c80c889c53aa94358a7bb07418b9731c3f94a564eb7d914.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
840	e2de578cc207a0866c80c889c53aa94358a7bb07418b9731c3f94a564eb7d914.exe
840	e2de578cc207a0866c80c889c53aa94358a7bb07418b9731c3f94a564eb7d914.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 1856	840	e2de578cc207a0866c80c889c53aa94358a7bb07418b9731c3f94a564eb7d914.exe	31
PID 840 wrote to memory of 1856	840	e2de578cc207a0866c80c889c53aa94358a7bb07418b9731c3f94a564eb7d914.exe	31
PID 840 wrote to memory of 1856	840	e2de578cc207a0866c80c889c53aa94358a7bb07418b9731c3f94a564eb7d914.exe	31
PID 840 wrote to memory of 1856	840	e2de578cc207a0866c80c889c53aa94358a7bb07418b9731c3f94a564eb7d914.exe	31

C:\Users\Admin\AppData\Local\Temp\e2de578cc207a0866c80c889c53aa94358a7bb07418b9731c3f94a564eb7d914.exe
"C:\Users\Admin\AppData\Local\Temp\e2de578cc207a0866c80c889c53aa94358a7bb07418b9731c3f94a564eb7d914.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:840
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c del e2de578cc207a0866c80c889c53aa94358a7bb07418b9731c3f94a564eb7d914.exe
  2⤵
  - Deletes itself
  PID:1856

memory/840-54-0x00000000754C1000-0x00000000754C3000-memory.dmp

Filesize
8KB

Download
memory/840-55-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/840-56-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/840-57-0x0000000074491000-0x0000000074493000-memory.dmp

Filesize
8KB

Download
memory/840-59-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download