78176bbf1207a3580152b38c70ad4731118906bccae18e62b2d76ed371d724d0

Analysis

max time kernel
47s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 10:56

Target

78176bbf1207a3580152b38c70ad4731118906bccae18e62b2d76ed371d724d0.exe
Size

94KB
MD5

fb66d6ef4288e46c6af045476ef8605e
SHA1

f1e56fd8bcaef34b4b0b19379150305516c888d8
SHA256

78176bbf1207a3580152b38c70ad4731118906bccae18e62b2d76ed371d724d0
SHA512

073108e735209f0608c760ec8f1d2c4fdc3f6b1d51afcda1e3f5fa78563df21df37eecc850ba97cdda1769ea41a8675ef39a08f640f61dd2574d68372cacfddb
SSDEEP

1536:4OMi8L0cHVe6GIyNpFB2FzLKAOjPIVsvE+yhDNZP7kIA3oZfPsWRoJf:siAR1eIydB2pLKAKIsDyh4Z4w

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
988	System64.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/files/0x000500000000b2d2-55.dat	upx
behavioral1/files/0x000500000000b2d2-57.dat	upx
behavioral1/memory/988-58-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1768-60-0x0000000000400000-0x000000000043E000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
2028	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\System64.exe	78176bbf1207a3580152b38c70ad4731118906bccae18e62b2d76ed371d724d0.exe
File opened for modification	C:\Windows\SysWOW64\System64.exe	78176bbf1207a3580152b38c70ad4731118906bccae18e62b2d76ed371d724d0.exe
File created	C:\Windows\SysWOW64\KMe.bat	78176bbf1207a3580152b38c70ad4731118906bccae18e62b2d76ed371d724d0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 2028	1768	78176bbf1207a3580152b38c70ad4731118906bccae18e62b2d76ed371d724d0.exe	28
PID 1768 wrote to memory of 2028	1768	78176bbf1207a3580152b38c70ad4731118906bccae18e62b2d76ed371d724d0.exe	28
PID 1768 wrote to memory of 2028	1768	78176bbf1207a3580152b38c70ad4731118906bccae18e62b2d76ed371d724d0.exe	28
PID 1768 wrote to memory of 2028	1768	78176bbf1207a3580152b38c70ad4731118906bccae18e62b2d76ed371d724d0.exe	28

C:\Users\Admin\AppData\Local\Temp\78176bbf1207a3580152b38c70ad4731118906bccae18e62b2d76ed371d724d0.exe
"C:\Users\Admin\AppData\Local\Temp\78176bbf1207a3580152b38c70ad4731118906bccae18e62b2d76ed371d724d0.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\KMe.bat
  2⤵
  - Deletes itself
  PID:2028

C:\Windows\SysWOW64\System64.exe
C:\Windows\SysWOW64\System64.exe
1⤵
- Executes dropped EXE
PID:988

C:\Windows\SysWOW64\KMe.bat

Filesize
118B

MD5
b6a5de19991d18f4cd7ad9773e3c0213

SHA1
8ec7ad42cfbbc23f3dad7dc8f0bd246239295180

SHA256
a69d42d54e972a7ffb74ebb97c40e5cda7ea9929e05a1c0de2d0efd0759fa899

SHA512
7af7a7cee24e029e5e9dd444167412ab5a0216375f162b57bfa77434947b2387ca5d52edfad4ab6f6095b1025533fea15ff1c9949022fe4da120d20556c8ca12

Download Submit
C:\Windows\SysWOW64\System64.exe

Filesize
94KB

MD5
fb66d6ef4288e46c6af045476ef8605e

SHA1
f1e56fd8bcaef34b4b0b19379150305516c888d8

SHA256
78176bbf1207a3580152b38c70ad4731118906bccae18e62b2d76ed371d724d0

SHA512
073108e735209f0608c760ec8f1d2c4fdc3f6b1d51afcda1e3f5fa78563df21df37eecc850ba97cdda1769ea41a8675ef39a08f640f61dd2574d68372cacfddb

Download Submit
C:\Windows\SysWOW64\System64.exe

Filesize
94KB

MD5
fb66d6ef4288e46c6af045476ef8605e

SHA1
f1e56fd8bcaef34b4b0b19379150305516c888d8

SHA256
78176bbf1207a3580152b38c70ad4731118906bccae18e62b2d76ed371d724d0

SHA512
073108e735209f0608c760ec8f1d2c4fdc3f6b1d51afcda1e3f5fa78563df21df37eecc850ba97cdda1769ea41a8675ef39a08f640f61dd2574d68372cacfddb

Download Submit
memory/988-58-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1768-54-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download
memory/1768-60-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download