a9f5bb643edf5b44ca7b3fdc8cb851ddfbf45b5df0aad80397c25a35d49db180

Analysis

max time kernel
36s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 08:40

Target

a9f5bb643edf5b44ca7b3fdc8cb851ddfbf45b5df0aad80397c25a35d49db180.exe
Size

145KB
MD5

44bf990f1d370aa9775b5c12a9ab708e
SHA1

4d7587cd656a23c47f56a95204ca4c93acb142d0
SHA256

a9f5bb643edf5b44ca7b3fdc8cb851ddfbf45b5df0aad80397c25a35d49db180
SHA512

97a0596dec4dbea4b225730302e237559b0a3a1488157078b3659f7c0560279f1e94b1f71a5484809ebcfe30e292163765d86d3c45692fdba5238cf169af4d88
SSDEEP

1536:6vOVXNmp1M8OG6SK8aY/vmt1c2ezLz3g/VE2LmJiHCIrKbIy5TzlKwa3MwF7JrWj:vVXN0i0/n2F9LmJirrCzvPwKwEB/p

Score

8^/10

upx

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1380-57-0x0000000010000000-0x000000001000F000-memory.dmp	upx
behavioral1/memory/1380-61-0x0000000010000000-0x000000001000F000-memory.dmp	upx
behavioral1/memory/1380-60-0x0000000010000000-0x000000001000F000-memory.dmp	upx
behavioral1/memory/1380-63-0x0000000010000000-0x000000001000F000-memory.dmp	upx
behavioral1/memory/1380-64-0x0000000010000000-0x000000001000F000-memory.dmp	upx

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1380	a9f5bb643edf5b44ca7b3fdc8cb851ddfbf45b5df0aad80397c25a35d49db180.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 1380	1952	a9f5bb643edf5b44ca7b3fdc8cb851ddfbf45b5df0aad80397c25a35d49db180.exe	26
PID 1952 wrote to memory of 1380	1952	a9f5bb643edf5b44ca7b3fdc8cb851ddfbf45b5df0aad80397c25a35d49db180.exe	26
PID 1952 wrote to memory of 1380	1952	a9f5bb643edf5b44ca7b3fdc8cb851ddfbf45b5df0aad80397c25a35d49db180.exe	26
PID 1952 wrote to memory of 1380	1952	a9f5bb643edf5b44ca7b3fdc8cb851ddfbf45b5df0aad80397c25a35d49db180.exe	26

C:\Users\Admin\AppData\Local\Temp\a9f5bb643edf5b44ca7b3fdc8cb851ddfbf45b5df0aad80397c25a35d49db180.exe
"C:\Users\Admin\AppData\Local\Temp\a9f5bb643edf5b44ca7b3fdc8cb851ddfbf45b5df0aad80397c25a35d49db180.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Local\Temp\a9f5bb643edf5b44ca7b3fdc8cb851ddfbf45b5df0aad80397c25a35d49db180.exe
  ?
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1380

memory/1380-56-0x00000000750A1000-0x00000000750A3000-memory.dmp

Filesize
8KB

Download
memory/1380-57-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/1380-61-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/1380-60-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/1380-62-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1380-63-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/1380-64-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/1952-55-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download