bcf058ace58238c1e62e733d0f2020b23dd24eb02a4bf4dbe6f76b77d1f0e73d

Analysis

max time kernel
3s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 08:19

Target

bcf058ace58238c1e62e733d0f2020b23dd24eb02a4bf4dbe6f76b77d1f0e73d.exe
Size

32KB
MD5

9fef356de1b1acd2b18313c1b417dcab
SHA1

7101b96b96b3a47166fae75f071e5d624188987a
SHA256

bcf058ace58238c1e62e733d0f2020b23dd24eb02a4bf4dbe6f76b77d1f0e73d
SHA512

0df6e13747731454cfc94ae54d1d75ac3cf9bb77b1ccb8cebe9c99b70f3f45dd74222ec0177277bd91d556402f6b64dcf675feec59d06792b14f42711bfd9f28
SSDEEP

768:pUjPQRHHmvTZft5oXtTG6e4Zyh3nmU6H0GpTE1:pUjPinmb9ETG6X0x6Hvd4

Score

8^/10

upx

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1416-58-0x0000000000400000-0x000000000041A000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1416	bcf058ace58238c1e62e733d0f2020b23dd24eb02a4bf4dbe6f76b77d1f0e73d.exe
1416	bcf058ace58238c1e62e733d0f2020b23dd24eb02a4bf4dbe6f76b77d1f0e73d.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\gUpfVk.dll	bcf058ace58238c1e62e733d0f2020b23dd24eb02a4bf4dbe6f76b77d1f0e73d.exe
File opened for modification	C:\Windows\SysWOW64\gUpfVk.dll	bcf058ace58238c1e62e733d0f2020b23dd24eb02a4bf4dbe6f76b77d1f0e73d.exe
File created	C:\Windows\SysWOW64\GvPGxKUED.dll	bcf058ace58238c1e62e733d0f2020b23dd24eb02a4bf4dbe6f76b77d1f0e73d.exe
File opened for modification	C:\Windows\SysWOW64\GvPGxKUED.dll	bcf058ace58238c1e62e733d0f2020b23dd24eb02a4bf4dbe6f76b77d1f0e73d.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
332	1416	WerFault.exe	25

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1416	bcf058ace58238c1e62e733d0f2020b23dd24eb02a4bf4dbe6f76b77d1f0e73d.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 332	1416	bcf058ace58238c1e62e733d0f2020b23dd24eb02a4bf4dbe6f76b77d1f0e73d.exe	28
PID 1416 wrote to memory of 332	1416	bcf058ace58238c1e62e733d0f2020b23dd24eb02a4bf4dbe6f76b77d1f0e73d.exe	28
PID 1416 wrote to memory of 332	1416	bcf058ace58238c1e62e733d0f2020b23dd24eb02a4bf4dbe6f76b77d1f0e73d.exe	28
PID 1416 wrote to memory of 332	1416	bcf058ace58238c1e62e733d0f2020b23dd24eb02a4bf4dbe6f76b77d1f0e73d.exe	28

C:\Users\Admin\AppData\Local\Temp\bcf058ace58238c1e62e733d0f2020b23dd24eb02a4bf4dbe6f76b77d1f0e73d.exe
"C:\Users\Admin\AppData\Local\Temp\bcf058ace58238c1e62e733d0f2020b23dd24eb02a4bf4dbe6f76b77d1f0e73d.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 192
  2⤵
  - Program crash
  PID:332

\Windows\SysWOW64\GvPGxKUED.dll

Filesize
813KB

MD5
5e0db2d8b2750543cd2ebb9ea8e6cdd3

SHA1
8b997b38e179cd03c0a2e87bddbc1ebca39a8630

SHA256
01eb95fa3943cf3c6b1a21e473a5c3cb9fcbce46913b15c96cac14e4f04075b4

SHA512
38a2064f7a740feb6dba46d57998140f16da7b9302bfe217a24d593220c2340f854645d05993aac6b7ecf819b5c09e062c5c81ba29f79d919ae518e6de071716

Download Submit
\Windows\SysWOW64\gUpfVk.dll

Filesize
1.1MB

MD5
9b98d47916ead4f69ef51b56b0c2323c

SHA1
290a80b4ded0efc0fd00816f373fcea81a521330

SHA256
96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

SHA512
68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

Download Submit
memory/1416-58-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download