9c7ecb8cdb3991170fc001a05fbab9ac77f91e8b1b214a71e05a260354514cdd

Analysis

max time kernel
165s
max time network
214s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 18:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9c7ecb8cdb3991170fc001a05fbab9ac77f91e8b1b214a71e05a260354514cdd.exe
Size

105KB
MD5

c6424499a43b44afdad295ca3470a6bd
SHA1

c884c9379640d03cd6d34fcff1470d8b4380bfa4
SHA256

9c7ecb8cdb3991170fc001a05fbab9ac77f91e8b1b214a71e05a260354514cdd
SHA512

f0e07f8bc8bad1a640c902f3eff42ee5ff0f8dff45fad6038f76a1a8990695a45f225ab9f321bb2c2b145ff9ce003cbdbd8d722c33c6528b51d56f07d22329db
SSDEEP

1536:aomjhDD3sPoudLwH/hUmxhyL1q7KQZOT2iXAOTqOTSHpT2QXi3B/2kX0mPFg6:abN0LwH/hUmnWo2lKiXNbBaNkX0mPFn

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4600	9c7ecb8cdb3991170fc001a05fbab9ac77f91e8b1b214a71e05a260354514cdd.~01

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1808-132-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/1808-140-0x0000000000400000-0x000000000044F000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1808	9c7ecb8cdb3991170fc001a05fbab9ac77f91e8b1b214a71e05a260354514cdd.exe
4600	9c7ecb8cdb3991170fc001a05fbab9ac77f91e8b1b214a71e05a260354514cdd.~01

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SYSLIB32.DLL	9c7ecb8cdb3991170fc001a05fbab9ac77f91e8b1b214a71e05a260354514cdd.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\PROGRAM FILES\7-ZIP\7Z.KLK	9c7ecb8cdb3991170fc001a05fbab9ac77f91e8b1b214a71e05a260354514cdd.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7Z.EXE	9c7ecb8cdb3991170fc001a05fbab9ac77f91e8b1b214a71e05a260354514cdd.exe
File created	C:\PROGRAM FILES\7-ZIP\7ZFM.TIS	9c7ecb8cdb3991170fc001a05fbab9ac77f91e8b1b214a71e05a260354514cdd.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7ZFM.TIS	9c7ecb8cdb3991170fc001a05fbab9ac77f91e8b1b214a71e05a260354514cdd.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7ZFM.EXE	9c7ecb8cdb3991170fc001a05fbab9ac77f91e8b1b214a71e05a260354514cdd.exe
File created	C:\PROGRAM FILES\7-ZIP\7Z.KLK	9c7ecb8cdb3991170fc001a05fbab9ac77f91e8b1b214a71e05a260354514cdd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1808	9c7ecb8cdb3991170fc001a05fbab9ac77f91e8b1b214a71e05a260354514cdd.exe
1808	9c7ecb8cdb3991170fc001a05fbab9ac77f91e8b1b214a71e05a260354514cdd.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 4600	1808	9c7ecb8cdb3991170fc001a05fbab9ac77f91e8b1b214a71e05a260354514cdd.exe	80
PID 1808 wrote to memory of 4600	1808	9c7ecb8cdb3991170fc001a05fbab9ac77f91e8b1b214a71e05a260354514cdd.exe	80
PID 1808 wrote to memory of 4600	1808	9c7ecb8cdb3991170fc001a05fbab9ac77f91e8b1b214a71e05a260354514cdd.exe	80

C:\Users\Admin\AppData\Local\Temp\9c7ecb8cdb3991170fc001a05fbab9ac77f91e8b1b214a71e05a260354514cdd.exe
"C:\Users\Admin\AppData\Local\Temp\9c7ecb8cdb3991170fc001a05fbab9ac77f91e8b1b214a71e05a260354514cdd.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Local\Temp\9c7ecb8cdb3991170fc001a05fbab9ac77f91e8b1b214a71e05a260354514cdd.~01
  C:\Users\Admin\AppData\Local\Temp\9c7ecb8cdb3991170fc001a05fbab9ac77f91e8b1b214a71e05a260354514cdd.~01
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9c7ecb8cdb3991170fc001a05fbab9ac77f91e8b1b214a71e05a260354514cdd.~01

Filesize
72KB

MD5
48cdab5eb8c952534ae2c5aed72ccb70

SHA1
a68607d6b1fe806be5dd2ead33a63a577ae60193

SHA256
5b971c4875dc29c80712c205d36c1ebdb6633494b02623eb13246512a34ae7f8

SHA512
8c9e69e577a0cda8e520e8d739c3366499770ff175eef5094ecd0534eaddf8b1cbd6f8928c112f080d4a72f45d7b781ccd7767e484a1616917590403e463a2fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c7ecb8cdb3991170fc001a05fbab9ac77f91e8b1b214a71e05a260354514cdd.~01

Filesize
72KB

MD5
48cdab5eb8c952534ae2c5aed72ccb70

SHA1
a68607d6b1fe806be5dd2ead33a63a577ae60193

SHA256
5b971c4875dc29c80712c205d36c1ebdb6633494b02623eb13246512a34ae7f8

SHA512
8c9e69e577a0cda8e520e8d739c3366499770ff175eef5094ecd0534eaddf8b1cbd6f8928c112f080d4a72f45d7b781ccd7767e484a1616917590403e463a2fa

Download Submit
C:\Windows\SysWOW64\SYSLIB32.DLL

Filesize
4KB

MD5
f14bd85eeba2b828a655fe62931035e5

SHA1
c6f962ab17705248f1c54675f3f02ee162d5a2b9

SHA256
78350b4add47b0ffa7ad91912fd3937afe19671b08df79463abcbedb12e470db

SHA512
9a825d7976e42259f7396e9bc174ae76a12e3464b7ea452270105a5510f97388c757c70d973fc94eefb715862e3b6c99edbd86b6ca936cd6670c7f3b7ea6fde2

Download Submit
C:\Windows\SysWOW64\SYSLIB32.DLL

Filesize
4KB

MD5
f14bd85eeba2b828a655fe62931035e5

SHA1
c6f962ab17705248f1c54675f3f02ee162d5a2b9

SHA256
78350b4add47b0ffa7ad91912fd3937afe19671b08df79463abcbedb12e470db

SHA512
9a825d7976e42259f7396e9bc174ae76a12e3464b7ea452270105a5510f97388c757c70d973fc94eefb715862e3b6c99edbd86b6ca936cd6670c7f3b7ea6fde2

Download Submit
C:\Windows\SysWOW64\SYSLIB32.DLL

Filesize
4KB

MD5
f14bd85eeba2b828a655fe62931035e5

SHA1
c6f962ab17705248f1c54675f3f02ee162d5a2b9

SHA256
78350b4add47b0ffa7ad91912fd3937afe19671b08df79463abcbedb12e470db

SHA512
9a825d7976e42259f7396e9bc174ae76a12e3464b7ea452270105a5510f97388c757c70d973fc94eefb715862e3b6c99edbd86b6ca936cd6670c7f3b7ea6fde2

Download Submit
memory/1808-132-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1808-140-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4600-139-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download