42f714dcfd3081c98da5bc6d6862390da6a93891109154c6d799407b22f1f954

Analysis

max time kernel
138s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 21:34

Target

42f714dcfd3081c98da5bc6d6862390da6a93891109154c6d799407b22f1f954.exe
Size

77KB
MD5

aa8a75f9921b5bd121e7b8def42eda58
SHA1

f3e16cf6719f76208b6d57b5865d55731090d9a5
SHA256

42f714dcfd3081c98da5bc6d6862390da6a93891109154c6d799407b22f1f954
SHA512

32f8637e0bcba90067e422ea369baad02b7fe15c5b4eb5bc72285cda1267780adbaed5cdd2b8586da0874346dccfb798c22f302525a1c805cbf5e4f111d75a83
SSDEEP

768:qHoxQJoOttDax40RHl1ZcC9k3SVXA6mF0vm86U2MC73uw1vTVZf9YsGwzi:qISJOfDcC9jXA6mjfuwpvFlGr

Score

8^/10

upx

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/5080-133-0x0000000000400000-0x0000000002B10000-memory.dmp	upx
behavioral2/memory/5080-136-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/5080-137-0x0000000000400000-0x0000000002B10000-memory.dmp	upx
behavioral2/memory/5080-138-0x0000000000400000-0x0000000002B10000-memory.dmp	upx
behavioral2/memory/5080-139-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/5080-140-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1244 set thread context of 5080	1244	42f714dcfd3081c98da5bc6d6862390da6a93891109154c6d799407b22f1f954.exe	80

Suspicious behavior: EnumeratesProcesses 14 IoCs

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1244	42f714dcfd3081c98da5bc6d6862390da6a93891109154c6d799407b22f1f954.exe
1244	42f714dcfd3081c98da5bc6d6862390da6a93891109154c6d799407b22f1f954.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 5080	1244	42f714dcfd3081c98da5bc6d6862390da6a93891109154c6d799407b22f1f954.exe	80
PID 1244 wrote to memory of 5080	1244	42f714dcfd3081c98da5bc6d6862390da6a93891109154c6d799407b22f1f954.exe	80
PID 1244 wrote to memory of 5080	1244	42f714dcfd3081c98da5bc6d6862390da6a93891109154c6d799407b22f1f954.exe	80
PID 1244 wrote to memory of 5080	1244	42f714dcfd3081c98da5bc6d6862390da6a93891109154c6d799407b22f1f954.exe	80
PID 1244 wrote to memory of 5080	1244	42f714dcfd3081c98da5bc6d6862390da6a93891109154c6d799407b22f1f954.exe	80
PID 1244 wrote to memory of 5080	1244	42f714dcfd3081c98da5bc6d6862390da6a93891109154c6d799407b22f1f954.exe	80
PID 1244 wrote to memory of 5080	1244	42f714dcfd3081c98da5bc6d6862390da6a93891109154c6d799407b22f1f954.exe	80
PID 1244 wrote to memory of 5080	1244	42f714dcfd3081c98da5bc6d6862390da6a93891109154c6d799407b22f1f954.exe	80
PID 1244 wrote to memory of 5080	1244	42f714dcfd3081c98da5bc6d6862390da6a93891109154c6d799407b22f1f954.exe	80

C:\Users\Admin\AppData\Local\Temp\42f714dcfd3081c98da5bc6d6862390da6a93891109154c6d799407b22f1f954.exe
"C:\Users\Admin\AppData\Local\Temp\42f714dcfd3081c98da5bc6d6862390da6a93891109154c6d799407b22f1f954.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\42f714dcfd3081c98da5bc6d6862390da6a93891109154c6d799407b22f1f954.exe
  "C:\Users\Admin\AppData\Local\Temp\42f714dcfd3081c98da5bc6d6862390da6a93891109154c6d799407b22f1f954.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5080

memory/1244-135-0x0000000000770000-0x0000000000774000-memory.dmp

Filesize
16KB

Download
memory/5080-133-0x0000000000400000-0x0000000002B10000-memory.dmp

Filesize
39.1MB

Download
memory/5080-136-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5080-137-0x0000000000400000-0x0000000002B10000-memory.dmp

Filesize
39.1MB

Download
memory/5080-138-0x0000000000400000-0x0000000002B10000-memory.dmp

Filesize
39.1MB

Download
memory/5080-139-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5080-140-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download