bd0837aeaf86eebe234dd115555a8e21fefac1228fa447e51b2fe2302515ebf9

Analysis

max time kernel
138s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28/11/2022, 00:05

Target

bd0837aeaf86eebe234dd115555a8e21fefac1228fa447e51b2fe2302515ebf9.exe
Size

295KB
MD5

df6432f0104107b4fabe60a53f1e9a5a
SHA1

199a2b247d40d5b95af84c8789db3e0a0627b4f4
SHA256

bd0837aeaf86eebe234dd115555a8e21fefac1228fa447e51b2fe2302515ebf9
SHA512

2c73bb92a3a7d7aa63998eb78af8827190fa601b0203b09a9c92cbf977337f28e52c3567ddec1bf71028893426382bf519dc9f9993477787d55358a3416c57b8
SSDEEP

6144:p4tETjaBZgCtOROVtQlYyWKaV4Pd0I1jfBynfQeMe:8BvIwt5yWKPjGfM

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
1984	360.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1608-55-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/files/0x0007000000005c50-56.dat	upx
behavioral1/files/0x0007000000005c50-58.dat	upx
behavioral1/memory/1984-59-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/1984-60-0x0000000000400000-0x00000000004C8000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\360.exe	bd0837aeaf86eebe234dd115555a8e21fefac1228fa447e51b2fe2302515ebf9.exe
File opened for modification	C:\Windows\360.exe	bd0837aeaf86eebe234dd115555a8e21fefac1228fa447e51b2fe2302515ebf9.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1608	bd0837aeaf86eebe234dd115555a8e21fefac1228fa447e51b2fe2302515ebf9.exe
Token: SeDebugPrivilege	1984	360.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1984	360.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 1716	1984	360.exe	27
PID 1984 wrote to memory of 1716	1984	360.exe	27
PID 1984 wrote to memory of 1716	1984	360.exe	27
PID 1984 wrote to memory of 1716	1984	360.exe	27

C:\Windows\360.exe
C:\Windows\360.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1716

C:\Windows\360.exe

Filesize
295KB

MD5
df6432f0104107b4fabe60a53f1e9a5a

SHA1
199a2b247d40d5b95af84c8789db3e0a0627b4f4

SHA256
bd0837aeaf86eebe234dd115555a8e21fefac1228fa447e51b2fe2302515ebf9

SHA512
2c73bb92a3a7d7aa63998eb78af8827190fa601b0203b09a9c92cbf977337f28e52c3567ddec1bf71028893426382bf519dc9f9993477787d55358a3416c57b8

Download Submit
C:\Windows\360.exe

Filesize
295KB

MD5
df6432f0104107b4fabe60a53f1e9a5a

SHA1
199a2b247d40d5b95af84c8789db3e0a0627b4f4

SHA256
bd0837aeaf86eebe234dd115555a8e21fefac1228fa447e51b2fe2302515ebf9

SHA512
2c73bb92a3a7d7aa63998eb78af8827190fa601b0203b09a9c92cbf977337f28e52c3567ddec1bf71028893426382bf519dc9f9993477787d55358a3416c57b8

Download Submit
memory/1608-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/1608-55-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1984-59-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1984-60-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download