f68d84c32f3d1324a52e585d467ecdc2660a5283a16db42b598668c289dcb637

Analysis

max time kernel
30s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 02:48

Target

f68d84c32f3d1324a52e585d467ecdc2660a5283a16db42b598668c289dcb637.exe
Size

27KB
MD5

dcc3f259cb2bce1a1d22013647d15738
SHA1

5b3932ca95d4d90c0ac03697587a547ea13132d8
SHA256

f68d84c32f3d1324a52e585d467ecdc2660a5283a16db42b598668c289dcb637
SHA512

8e514a9754f9d923ed0ed9aafb426f5b3163b1b8799c9c838e4d33ee38af526b196a32b71717a51aec3e1e0923ee86726feea87ccceeb267b05305bff27cc656
SSDEEP

384:1dncDHwiAMY6hEMlQPSKYGQiSx2/rccrN+bDd0t4saNJawcudoD7U/AqgyB:1qEinTCwGgwvMbJ0qlnbcuyD7UAyB

Score

8^/10

upx

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1960-54-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/1960-56-0x0000000000400000-0x0000000000412000-memory.dmp	upx

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ddr006.ocx	f68d84c32f3d1324a52e585d467ecdc2660a5283a16db42b598668c289dcb637.exe
File created	C:\Windows\SysWOW64\New.dll	f68d84c32f3d1324a52e585d467ecdc2660a5283a16db42b598668c289dcb637.exe
File opened for modification	C:\Windows\SysWOW64\New.dll	f68d84c32f3d1324a52e585d467ecdc2660a5283a16db42b598668c289dcb637.exe
File created	C:\Windows\SysWOW64\dsound.dll.7090120	f68d84c32f3d1324a52e585d467ecdc2660a5283a16db42b598668c289dcb637.exe
File opened for modification	C:\Windows\SysWOW64\dsound.dll.7090120	f68d84c32f3d1324a52e585d467ecdc2660a5283a16db42b598668c289dcb637.exe
File opened for modification	C:\Windows\SysWOW64\1006.ocx	f68d84c32f3d1324a52e585d467ecdc2660a5283a16db42b598668c289dcb637.exe
File created	C:\Windows\SysWOW64\1006.ocx	f68d84c32f3d1324a52e585d467ecdc2660a5283a16db42b598668c289dcb637.exe
File opened for modification	C:\Windows\SysWOW64\ddr006.ocx	f68d84c32f3d1324a52e585d467ecdc2660a5283a16db42b598668c289dcb637.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
280	1960	WerFault.exe	8

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1960	f68d84c32f3d1324a52e585d467ecdc2660a5283a16db42b598668c289dcb637.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 280	1960	f68d84c32f3d1324a52e585d467ecdc2660a5283a16db42b598668c289dcb637.exe	28
PID 1960 wrote to memory of 280	1960	f68d84c32f3d1324a52e585d467ecdc2660a5283a16db42b598668c289dcb637.exe	28
PID 1960 wrote to memory of 280	1960	f68d84c32f3d1324a52e585d467ecdc2660a5283a16db42b598668c289dcb637.exe	28
PID 1960 wrote to memory of 280	1960	f68d84c32f3d1324a52e585d467ecdc2660a5283a16db42b598668c289dcb637.exe	28

C:\Users\Admin\AppData\Local\Temp\f68d84c32f3d1324a52e585d467ecdc2660a5283a16db42b598668c289dcb637.exe
"C:\Users\Admin\AppData\Local\Temp\f68d84c32f3d1324a52e585d467ecdc2660a5283a16db42b598668c289dcb637.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 124
  2⤵
  - Program crash
  PID:280

memory/1960-54-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1960-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download