c3719a4bbeed5ccee544735474e0a86f2d2834e935f491c9628b6fd6c1d7a04a

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3719a4bbeed5ccee544735474e0a86f2d2834e935f491c9628b6fd6c1d7a04a.exe
Size

270KB
MD5

4d2f526eba6324f1b0fd8266da515d1d
SHA1

0b01d325c09214d17c7f688fd22eb70af3cd506a
SHA256

c3719a4bbeed5ccee544735474e0a86f2d2834e935f491c9628b6fd6c1d7a04a
SHA512

423ad4a7b8150d9bb61ab5d0d3e445e7a8fa3a2a628471ff9c124ec43e5c80cb4487ac758406353822331c2d90536970d73e2460f74ff5bb55e8e875076dd058
SSDEEP

3072:ioLca+56U04PZXMuOHzK4DDlgro35evqevCevYAd5YlPfQn:GXMuOHzK4DDaroJHfo55n

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1784-60-0x0000000000400000-0x000000000043F000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1784 set thread context of 1624	1784	c3719a4bbeed5ccee544735474e0a86f2d2834e935f491c9628b6fd6c1d7a04a.exe	28
PID 1784 set thread context of 0	1784	c3719a4bbeed5ccee544735474e0a86f2d2834e935f491c9628b6fd6c1d7a04a.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1624	c3719a4bbeed5ccee544735474e0a86f2d2834e935f491c9628b6fd6c1d7a04a.exe
1624	c3719a4bbeed5ccee544735474e0a86f2d2834e935f491c9628b6fd6c1d7a04a.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1784	c3719a4bbeed5ccee544735474e0a86f2d2834e935f491c9628b6fd6c1d7a04a.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 1624	1784	c3719a4bbeed5ccee544735474e0a86f2d2834e935f491c9628b6fd6c1d7a04a.exe	28
PID 1784 wrote to memory of 1624	1784	c3719a4bbeed5ccee544735474e0a86f2d2834e935f491c9628b6fd6c1d7a04a.exe	28
PID 1784 wrote to memory of 1624	1784	c3719a4bbeed5ccee544735474e0a86f2d2834e935f491c9628b6fd6c1d7a04a.exe	28
PID 1784 wrote to memory of 1624	1784	c3719a4bbeed5ccee544735474e0a86f2d2834e935f491c9628b6fd6c1d7a04a.exe	28
PID 1784 wrote to memory of 1624	1784	c3719a4bbeed5ccee544735474e0a86f2d2834e935f491c9628b6fd6c1d7a04a.exe	28
PID 1784 wrote to memory of 1624	1784	c3719a4bbeed5ccee544735474e0a86f2d2834e935f491c9628b6fd6c1d7a04a.exe	28
PID 1784 wrote to memory of 1624	1784	c3719a4bbeed5ccee544735474e0a86f2d2834e935f491c9628b6fd6c1d7a04a.exe	28
PID 1784 wrote to memory of 1624	1784	c3719a4bbeed5ccee544735474e0a86f2d2834e935f491c9628b6fd6c1d7a04a.exe	28
PID 1784 wrote to memory of 0	1784	c3719a4bbeed5ccee544735474e0a86f2d2834e935f491c9628b6fd6c1d7a04a.exe
PID 1784 wrote to memory of 0	1784	c3719a4bbeed5ccee544735474e0a86f2d2834e935f491c9628b6fd6c1d7a04a.exe
PID 1784 wrote to memory of 0	1784	c3719a4bbeed5ccee544735474e0a86f2d2834e935f491c9628b6fd6c1d7a04a.exe
PID 1784 wrote to memory of 0	1784	c3719a4bbeed5ccee544735474e0a86f2d2834e935f491c9628b6fd6c1d7a04a.exe
PID 1624 wrote to memory of 1220	1624	c3719a4bbeed5ccee544735474e0a86f2d2834e935f491c9628b6fd6c1d7a04a.exe	16
PID 1624 wrote to memory of 1220	1624	c3719a4bbeed5ccee544735474e0a86f2d2834e935f491c9628b6fd6c1d7a04a.exe	16
PID 1624 wrote to memory of 1220	1624	c3719a4bbeed5ccee544735474e0a86f2d2834e935f491c9628b6fd6c1d7a04a.exe	16
PID 1624 wrote to memory of 1220	1624	c3719a4bbeed5ccee544735474e0a86f2d2834e935f491c9628b6fd6c1d7a04a.exe	16

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220
- C:\Users\Admin\AppData\Local\Temp\c3719a4bbeed5ccee544735474e0a86f2d2834e935f491c9628b6fd6c1d7a04a.exe
  "C:\Users\Admin\AppData\Local\Temp\c3719a4bbeed5ccee544735474e0a86f2d2834e935f491c9628b6fd6c1d7a04a.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Users\Admin\AppData\Local\Temp\c3719a4bbeed5ccee544735474e0a86f2d2834e935f491c9628b6fd6c1d7a04a.exe
    "C:\Users\Admin\AppData\Local\Temp\c3719a4bbeed5ccee544735474e0a86f2d2834e935f491c9628b6fd6c1d7a04a.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1220-63-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1624-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1624-61-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1624-62-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/1624-66-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1784-60-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download