b923a62895669014b3d978f9313f3257aaf89b32a1b034ea5799c6390f35a89b

Analysis

max time kernel
26s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b923a62895669014b3d978f9313f3257aaf89b32a1b034ea5799c6390f35a89b.exe
Size

182KB
MD5

817adf24110cf9b327502fd1a975aa4f
SHA1

20e4edda578ef07ca93845dc3743438d1055ee96
SHA256

b923a62895669014b3d978f9313f3257aaf89b32a1b034ea5799c6390f35a89b
SHA512

15a34964514f219bc7d50eae154e0ecfd9c751f23162647793d1e8157bea20ee3c1416a4c9aa3e4d520136df4861e5fcf8a6608bda5d1237d59cab3ce9324e71
SSDEEP

1536:rnllFL4xITdXk+IrFjzOkHQRIPqmY7/ae817RReqmkq11IuIwWzn:rRL4T+IrVKkHQmVY7yem7XmkEHWzn

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/328-60-0x0000000000400000-0x000000000047E000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 328 set thread context of 1380	328	b923a62895669014b3d978f9313f3257aaf89b32a1b034ea5799c6390f35a89b.exe	27
PID 328 set thread context of 0	328	b923a62895669014b3d978f9313f3257aaf89b32a1b034ea5799c6390f35a89b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1380	b923a62895669014b3d978f9313f3257aaf89b32a1b034ea5799c6390f35a89b.exe
1380	b923a62895669014b3d978f9313f3257aaf89b32a1b034ea5799c6390f35a89b.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
328	b923a62895669014b3d978f9313f3257aaf89b32a1b034ea5799c6390f35a89b.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 328 wrote to memory of 1380	328	b923a62895669014b3d978f9313f3257aaf89b32a1b034ea5799c6390f35a89b.exe	27
PID 328 wrote to memory of 1380	328	b923a62895669014b3d978f9313f3257aaf89b32a1b034ea5799c6390f35a89b.exe	27
PID 328 wrote to memory of 1380	328	b923a62895669014b3d978f9313f3257aaf89b32a1b034ea5799c6390f35a89b.exe	27
PID 328 wrote to memory of 1380	328	b923a62895669014b3d978f9313f3257aaf89b32a1b034ea5799c6390f35a89b.exe	27
PID 328 wrote to memory of 1380	328	b923a62895669014b3d978f9313f3257aaf89b32a1b034ea5799c6390f35a89b.exe	27
PID 328 wrote to memory of 1380	328	b923a62895669014b3d978f9313f3257aaf89b32a1b034ea5799c6390f35a89b.exe	27
PID 328 wrote to memory of 1380	328	b923a62895669014b3d978f9313f3257aaf89b32a1b034ea5799c6390f35a89b.exe	27
PID 328 wrote to memory of 1380	328	b923a62895669014b3d978f9313f3257aaf89b32a1b034ea5799c6390f35a89b.exe	27
PID 328 wrote to memory of 0	328	b923a62895669014b3d978f9313f3257aaf89b32a1b034ea5799c6390f35a89b.exe
PID 328 wrote to memory of 0	328	b923a62895669014b3d978f9313f3257aaf89b32a1b034ea5799c6390f35a89b.exe
PID 328 wrote to memory of 0	328	b923a62895669014b3d978f9313f3257aaf89b32a1b034ea5799c6390f35a89b.exe
PID 328 wrote to memory of 0	328	b923a62895669014b3d978f9313f3257aaf89b32a1b034ea5799c6390f35a89b.exe
PID 1380 wrote to memory of 1412	1380	b923a62895669014b3d978f9313f3257aaf89b32a1b034ea5799c6390f35a89b.exe	13
PID 1380 wrote to memory of 1412	1380	b923a62895669014b3d978f9313f3257aaf89b32a1b034ea5799c6390f35a89b.exe	13
PID 1380 wrote to memory of 1412	1380	b923a62895669014b3d978f9313f3257aaf89b32a1b034ea5799c6390f35a89b.exe	13
PID 1380 wrote to memory of 1412	1380	b923a62895669014b3d978f9313f3257aaf89b32a1b034ea5799c6390f35a89b.exe	13

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1412
- C:\Users\Admin\AppData\Local\Temp\b923a62895669014b3d978f9313f3257aaf89b32a1b034ea5799c6390f35a89b.exe
  "C:\Users\Admin\AppData\Local\Temp\b923a62895669014b3d978f9313f3257aaf89b32a1b034ea5799c6390f35a89b.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:328
- - C:\Users\Admin\AppData\Local\Temp\b923a62895669014b3d978f9313f3257aaf89b32a1b034ea5799c6390f35a89b.exe
    "C:\Users\Admin\AppData\Local\Temp\b923a62895669014b3d978f9313f3257aaf89b32a1b034ea5799c6390f35a89b.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1380

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/0-59-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/328-60-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1380-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1380-61-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/1380-62-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/1380-66-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1412-63-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download