bcf058ace58238c1e62e733d0f2020b23dd24eb02a4bf4dbe6f76b77d1f0e73d

Analysis

max time kernel
158s
max time network
199s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2022 08:19

Target

bcf058ace58238c1e62e733d0f2020b23dd24eb02a4bf4dbe6f76b77d1f0e73d.exe
Size

32KB
MD5

9fef356de1b1acd2b18313c1b417dcab
SHA1

7101b96b96b3a47166fae75f071e5d624188987a
SHA256

bcf058ace58238c1e62e733d0f2020b23dd24eb02a4bf4dbe6f76b77d1f0e73d
SHA512

0df6e13747731454cfc94ae54d1d75ac3cf9bb77b1ccb8cebe9c99b70f3f45dd74222ec0177277bd91d556402f6b64dcf675feec59d06792b14f42711bfd9f28
SSDEEP

768:pUjPQRHHmvTZft5oXtTG6e4Zyh3nmU6H0GpTE1:pUjPinmb9ETG6X0x6Hvd4

Score

8^/10

upx

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/912-136-0x0000000000400000-0x000000000041A000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
912	bcf058ace58238c1e62e733d0f2020b23dd24eb02a4bf4dbe6f76b77d1f0e73d.exe
912	bcf058ace58238c1e62e733d0f2020b23dd24eb02a4bf4dbe6f76b77d1f0e73d.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\gUpfVk.dll	bcf058ace58238c1e62e733d0f2020b23dd24eb02a4bf4dbe6f76b77d1f0e73d.exe
File opened for modification	C:\Windows\SysWOW64\gUpfVk.dll	bcf058ace58238c1e62e733d0f2020b23dd24eb02a4bf4dbe6f76b77d1f0e73d.exe
File created	C:\Windows\SysWOW64\GvPGxKUED.dll	bcf058ace58238c1e62e733d0f2020b23dd24eb02a4bf4dbe6f76b77d1f0e73d.exe
File opened for modification	C:\Windows\SysWOW64\GvPGxKUED.dll	bcf058ace58238c1e62e733d0f2020b23dd24eb02a4bf4dbe6f76b77d1f0e73d.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3452	912	WerFault.exe	80
4452	912	WerFault.exe	80
480	912	WerFault.exe	80

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
912	bcf058ace58238c1e62e733d0f2020b23dd24eb02a4bf4dbe6f76b77d1f0e73d.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 3452	912	bcf058ace58238c1e62e733d0f2020b23dd24eb02a4bf4dbe6f76b77d1f0e73d.exe	82
PID 912 wrote to memory of 3452	912	bcf058ace58238c1e62e733d0f2020b23dd24eb02a4bf4dbe6f76b77d1f0e73d.exe	82
PID 912 wrote to memory of 3452	912	bcf058ace58238c1e62e733d0f2020b23dd24eb02a4bf4dbe6f76b77d1f0e73d.exe	82

C:\Users\Admin\AppData\Local\Temp\bcf058ace58238c1e62e733d0f2020b23dd24eb02a4bf4dbe6f76b77d1f0e73d.exe
"C:\Users\Admin\AppData\Local\Temp\bcf058ace58238c1e62e733d0f2020b23dd24eb02a4bf4dbe6f76b77d1f0e73d.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 464
  2⤵
  - Program crash
  PID:3452
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 464
  2⤵
  - Program crash
  PID:4452
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 464
  2⤵
  - Program crash
  PID:480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 912 -ip 912
1⤵
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 912 -ip 912
1⤵
PID:3896

C:\Windows\SysWOW64\GvPGxKUED.dll

Filesize
1.6MB

MD5
5870ea0d6ba8dd6e2008466bdd00e0f4

SHA1
d41bf60d0dedff90e3cfc1b41b7e1a73df39a7d5

SHA256
5a7dac8c8b5d7cf1115246dfaf994e7f50e16a7eac1488642396f5e23fddfe0d

SHA512
0c620d5e7383adcf979feccc3b1bad584a5cec8b3d74d0ace8bb786f1f04ba87fa70d59d041dc3833977d44a75f2070181d4054c7c0b9c4ce2d66249b4b3c837

Download Submit
C:\Windows\SysWOW64\gUpfVk.dll

Filesize
625KB

MD5
eccf28d7e5ccec24119b88edd160f8f4

SHA1
98509587a3d37a20b56b50fd57f823a1691a034c

SHA256
820c83c0533cfce2928e29edeaf6c255bc19ac9718b25a5656d99ffac30a03d6

SHA512
c1c94bbb781625b2317f0a8178d3a10d891fb71bca8f82cd831c484e8ab125301b82a14fe2ff070dc99a496cc00234300fa5536401018c40d49d44ae89409670

Download Submit
memory/912-136-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3452-137-0x0000000000000000-mapping.dmp

Download