edef06b620c9b9c770d6031461038952df6583bc3366ec160cac5c3548362ded

Analysis

max time kernel
224s
max time network
278s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 12:08

Target

ǹӢ۱Ǹv1.1ʽ.exe
Size

1.6MB
MD5

ed4f06953ea89d555ef84bbc86a7487a
SHA1

3e2203acc6d9132f26f54c128b0eb4163aefebc4
SHA256

37848ebc6c51448455a1fd7ea9385f6bdf420e776f1330318d816926d499ae0c
SHA512

33b1f8e71529b05d7da4da7712e310f3d69277977c024f1975c7e664f49ba6c7289caf4042fea88c2ce582a208b2c058cf672ef3f7e93235c3318618307a047a
SSDEEP

24576:HuXwi1apNLM44N3G+qb0AL8ffhnENiMmEKmlNvbJL4thUF:HATapNIScxEmqvihO

Score

9^/10

upx

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000b000000022dd7-133.dat	acprotect

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x000b000000022dd7-133.dat	upx
behavioral2/memory/1588-134-0x0000000010000000-0x000000001003D000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
1588	ǹӢ۱Ǹv1.1ʽ.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1948	1588	WerFault.exe	80
3676	1588	WerFault.exe	80

Suspicious use of SetWindowsHookEx 6 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 1948	1588	ǹӢ۱Ǹv1.1ʽ.exe	84
PID 1588 wrote to memory of 1948	1588	ǹӢ۱Ǹv1.1ʽ.exe	84
PID 1588 wrote to memory of 1948	1588	ǹӢ۱Ǹv1.1ʽ.exe	84

C:\Users\Admin\AppData\Local\Temp\ǹӢ۱Ǹv1.1ʽ.exe
"C:\Users\Admin\AppData\Local\Temp\ǹӢ۱Ǹv1.1ʽ.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 1604
  2⤵
  - Program crash
  PID:1948
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 1604
  2⤵
  - Program crash
  PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1588 -ip 1588
1⤵
PID:2596

C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dll

Filesize
86KB

MD5
147127382e001f495d1842ee7a9e7912

SHA1
92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b

SHA256
edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc

SHA512
97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

Download Submit
memory/1588-132-0x0000000000400000-0x0000000000680200-memory.dmp

Filesize
2.5MB

Download
memory/1588-134-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download