735f49a9a64a7728c12403d5189e815c0a492def9f9cc70d9749a39cda7c9b4c

Analysis

max time kernel
19s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 20:33

Target

735f49a9a64a7728c12403d5189e815c0a492def9f9cc70d9749a39cda7c9b4c.exe
Size

572KB
MD5

0d50f046e6eb7e921272b20d62e1003a
SHA1

9dda4c398008827fadc3775026e81d922eab8dfe
SHA256

735f49a9a64a7728c12403d5189e815c0a492def9f9cc70d9749a39cda7c9b4c
SHA512

6954266c06fcb7d20ba47624aa796cfd40ddad9d4e4c566dd8402b71cca2e5fd5f099f09be23dbcbab4bf563eae35b3e64a2411b7253379cf319c0b036fd3d00
SSDEEP

12288:R8qUSvdP3zOstTokAQn2+ay8Hprl90ENhT713v/A7U97w:RwSvV3rAQnWLlXRvI7M7w

Score

9^/10

upx

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b0000000122f6-56.dat	acprotect
behavioral1/files/0x000b0000000122f6-58.dat	acprotect

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1372-54-0x0000000000400000-0x0000000000530000-memory.dmp	upx
behavioral1/files/0x000b0000000122f6-56.dat	upx
behavioral1/files/0x000b0000000122f6-58.dat	upx
behavioral1/memory/1372-59-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1372-60-0x0000000000400000-0x0000000000530000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
1372	735f49a9a64a7728c12403d5189e815c0a492def9f9cc70d9749a39cda7c9b4c.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1372	735f49a9a64a7728c12403d5189e815c0a492def9f9cc70d9749a39cda7c9b4c.exe
1372	735f49a9a64a7728c12403d5189e815c0a492def9f9cc70d9749a39cda7c9b4c.exe
1372	735f49a9a64a7728c12403d5189e815c0a492def9f9cc70d9749a39cda7c9b4c.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 1800	1372	735f49a9a64a7728c12403d5189e815c0a492def9f9cc70d9749a39cda7c9b4c.exe	28
PID 1372 wrote to memory of 1800	1372	735f49a9a64a7728c12403d5189e815c0a492def9f9cc70d9749a39cda7c9b4c.exe	28
PID 1372 wrote to memory of 1800	1372	735f49a9a64a7728c12403d5189e815c0a492def9f9cc70d9749a39cda7c9b4c.exe	28
PID 1372 wrote to memory of 1800	1372	735f49a9a64a7728c12403d5189e815c0a492def9f9cc70d9749a39cda7c9b4c.exe	28

C:\Users\Admin\AppData\Local\Temp\735f49a9a64a7728c12403d5189e815c0a492def9f9cc70d9749a39cda7c9b4c.exe
"C:\Users\Admin\AppData\Local\Temp\735f49a9a64a7728c12403d5189e815c0a492def9f9cc70d9749a39cda7c9b4c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /a C:\Users\Admin\AppData\Local\Temp\jedata.dll
  2⤵
  PID:1800

C:\Users\Admin\AppData\Local\Temp\jedata.dll

Filesize
86KB

MD5
114054313070472cd1a6d7d28f7c5002

SHA1
9a044986e6101df1a126035da7326a50c3fe9a23

SHA256
e15d9e1b772fed3db19e67b8d54533d1a2d46a37f8b12702a5892c6b886e9db1

SHA512
a2ff8481e89698dae4a1c83404105093472e384d7a3debbd7014e010543e08efc8ebb3f67c8a4ce09029e6b2a8fb7779bb402aae7c9987e61389cd8a72c73522

Download Submit
\Users\Admin\AppData\Local\Temp\jedata.dll

Filesize
86KB

MD5
114054313070472cd1a6d7d28f7c5002

SHA1
9a044986e6101df1a126035da7326a50c3fe9a23

SHA256
e15d9e1b772fed3db19e67b8d54533d1a2d46a37f8b12702a5892c6b886e9db1

SHA512
a2ff8481e89698dae4a1c83404105093472e384d7a3debbd7014e010543e08efc8ebb3f67c8a4ce09029e6b2a8fb7779bb402aae7c9987e61389cd8a72c73522

Download Submit
memory/1372-54-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/1372-55-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1372-59-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1372-60-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download