f4e9a6c1952347aa53d412b589d9c199c00c28cf6f40f056371304f16522ff37

Analysis

max time kernel
83s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4e9a6c1952347aa53d412b589d9c199c00c28cf6f40f056371304f16522ff37.exe
Size

256KB
MD5

ebd560ca8b1801d5dde52c46cfa24594
SHA1

bc7bacd21a9afbe58bd42f47261c2c99462fc3ab
SHA256

f4e9a6c1952347aa53d412b589d9c199c00c28cf6f40f056371304f16522ff37
SHA512

b6b41046a096ee6614407f542b70d2588285097b35757fc8ad87f6a4609966aa477d48d10861eae56c8272b72a9b8ab4cdd367adf73d325741ac012cb101edf5
SSDEEP

3072:9yALIKeh+MQg3N336MdMfLirKyI8R19HWDdRinN336MIafLiaD/s:8TqqULirNI8R19idR8qLOLiag

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4896-132-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral2/memory/4896-133-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral2/memory/4896-140-0x0000000000400000-0x0000000000441000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4896 set thread context of 4644	4896	f4e9a6c1952347aa53d412b589d9c199c00c28cf6f40f056371304f16522ff37.exe	79
PID 4896 set thread context of 0	4896	f4e9a6c1952347aa53d412b589d9c199c00c28cf6f40f056371304f16522ff37.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4644	f4e9a6c1952347aa53d412b589d9c199c00c28cf6f40f056371304f16522ff37.exe
4644	f4e9a6c1952347aa53d412b589d9c199c00c28cf6f40f056371304f16522ff37.exe
4644	f4e9a6c1952347aa53d412b589d9c199c00c28cf6f40f056371304f16522ff37.exe
4644	f4e9a6c1952347aa53d412b589d9c199c00c28cf6f40f056371304f16522ff37.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4896	f4e9a6c1952347aa53d412b589d9c199c00c28cf6f40f056371304f16522ff37.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 4644	4896	f4e9a6c1952347aa53d412b589d9c199c00c28cf6f40f056371304f16522ff37.exe	79
PID 4896 wrote to memory of 4644	4896	f4e9a6c1952347aa53d412b589d9c199c00c28cf6f40f056371304f16522ff37.exe	79
PID 4896 wrote to memory of 4644	4896	f4e9a6c1952347aa53d412b589d9c199c00c28cf6f40f056371304f16522ff37.exe	79
PID 4896 wrote to memory of 4644	4896	f4e9a6c1952347aa53d412b589d9c199c00c28cf6f40f056371304f16522ff37.exe	79
PID 4896 wrote to memory of 4644	4896	f4e9a6c1952347aa53d412b589d9c199c00c28cf6f40f056371304f16522ff37.exe	79
PID 4896 wrote to memory of 4644	4896	f4e9a6c1952347aa53d412b589d9c199c00c28cf6f40f056371304f16522ff37.exe	79
PID 4896 wrote to memory of 4644	4896	f4e9a6c1952347aa53d412b589d9c199c00c28cf6f40f056371304f16522ff37.exe	79
PID 4896 wrote to memory of 0	4896	f4e9a6c1952347aa53d412b589d9c199c00c28cf6f40f056371304f16522ff37.exe
PID 4896 wrote to memory of 0	4896	f4e9a6c1952347aa53d412b589d9c199c00c28cf6f40f056371304f16522ff37.exe
PID 4896 wrote to memory of 0	4896	f4e9a6c1952347aa53d412b589d9c199c00c28cf6f40f056371304f16522ff37.exe
PID 4896 wrote to memory of 0	4896	f4e9a6c1952347aa53d412b589d9c199c00c28cf6f40f056371304f16522ff37.exe
PID 4644 wrote to memory of 3052	4644	f4e9a6c1952347aa53d412b589d9c199c00c28cf6f40f056371304f16522ff37.exe	30
PID 4644 wrote to memory of 3052	4644	f4e9a6c1952347aa53d412b589d9c199c00c28cf6f40f056371304f16522ff37.exe	30
PID 4644 wrote to memory of 3052	4644	f4e9a6c1952347aa53d412b589d9c199c00c28cf6f40f056371304f16522ff37.exe	30
PID 4644 wrote to memory of 3052	4644	f4e9a6c1952347aa53d412b589d9c199c00c28cf6f40f056371304f16522ff37.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3052
- C:\Users\Admin\AppData\Local\Temp\f4e9a6c1952347aa53d412b589d9c199c00c28cf6f40f056371304f16522ff37.exe
  "C:\Users\Admin\AppData\Local\Temp\f4e9a6c1952347aa53d412b589d9c199c00c28cf6f40f056371304f16522ff37.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Users\Admin\AppData\Local\Temp\f4e9a6c1952347aa53d412b589d9c199c00c28cf6f40f056371304f16522ff37.exe
    "C:\Users\Admin\AppData\Local\Temp\f4e9a6c1952347aa53d412b589d9c199c00c28cf6f40f056371304f16522ff37.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3052-143-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/4644-137-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4644-141-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4644-142-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4644-144-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4896-132-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4896-133-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4896-140-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download