893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894

Analysis

max time kernel
136s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 20:40

Target

893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe
Size

294KB
MD5

0e589dc718978b73ed7f0254e4e3a9af
SHA1

374bec41a2013ecaa7a42a17df32d08a846818f7
SHA256

893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894
SHA512

9477c4bad8e2e7c38c0199f8051f27fed1b570936268086603b3022dc6105ff2918dee744853ef57da230b9620cc12cb0ebfbae26b332c3eae665b9d060ca7eb
SSDEEP

6144:KWrbUaaWGp3Bua8w3tkRfFFvW72dqeDG2omltDd0+MhoMnXCGGjGGtGGxGgG0GyE:Kc4aaNitwdAfFF9gPaFMuMnXji6

Score

8^/10

upx

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/4852-132-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/4852-138-0x0000000000400000-0x000000000046E000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4852 set thread context of 484	4852	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe	82

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4852	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 484	4852	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe	82
PID 4852 wrote to memory of 484	4852	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe	82
PID 4852 wrote to memory of 484	4852	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe	82
PID 4852 wrote to memory of 484	4852	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe	82
PID 4852 wrote to memory of 484	4852	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe	82
PID 4852 wrote to memory of 484	4852	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe	82
PID 4852 wrote to memory of 484	4852	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe	82
PID 4852 wrote to memory of 484	4852	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe	82

C:\Users\Admin\AppData\Local\Temp\893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe
"C:\Users\Admin\AppData\Local\Temp\893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Users\Admin\AppData\Local\Temp\893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe
  "C:\Users\Admin\AppData\Local\Temp\893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe"
  2⤵
  PID:484

memory/484-136-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/484-139-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4852-132-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4852-138-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download