495b47032148e8f96a1bc70f085d6d0f5eacc48554ae4b4e76feb1ffe66d89cb

Analysis

max time kernel
175s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2022 10:23

Target

495b47032148e8f96a1bc70f085d6d0f5eacc48554ae4b4e76feb1ffe66d89cb.exe
Size

134KB
MD5

4808dd396dfabe6a632600d8abf01c72
SHA1

dae02b8c0629e8bcf65840bcf9b9abf2f70c449a
SHA256

495b47032148e8f96a1bc70f085d6d0f5eacc48554ae4b4e76feb1ffe66d89cb
SHA512

890dce292c0495c6b07077b87a08c1faa9559b3df75cd1b1ce8eb0f6e5e76b8e3c30565f3d2ac661d2b7c488dfd57640496d601fe669af7ad1790e8b3c4b3e63
SSDEEP

3072:k+y523F8DTtYinkr4jaR90ymkNPmkVMCZU+UDQ/n:k+wHtYikr4a9/mkNP6w0Dg

Score

8^/10

upx

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/4328-134-0x0000000010000000-0x000000001000F000-memory.dmp	upx
behavioral2/memory/4328-137-0x0000000010000000-0x000000001000F000-memory.dmp	upx
behavioral2/memory/4328-138-0x0000000010000000-0x000000001000F000-memory.dmp	upx
behavioral2/memory/4328-139-0x0000000010000000-0x000000001000F000-memory.dmp	upx
behavioral2/memory/4328-141-0x0000000010000000-0x000000001000F000-memory.dmp	upx

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4328	495b47032148e8f96a1bc70f085d6d0f5eacc48554ae4b4e76feb1ffe66d89cb.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3860 wrote to memory of 4328	3860	495b47032148e8f96a1bc70f085d6d0f5eacc48554ae4b4e76feb1ffe66d89cb.exe	83
PID 3860 wrote to memory of 4328	3860	495b47032148e8f96a1bc70f085d6d0f5eacc48554ae4b4e76feb1ffe66d89cb.exe	83
PID 3860 wrote to memory of 4328	3860	495b47032148e8f96a1bc70f085d6d0f5eacc48554ae4b4e76feb1ffe66d89cb.exe	83

C:\Users\Admin\AppData\Local\Temp\495b47032148e8f96a1bc70f085d6d0f5eacc48554ae4b4e76feb1ffe66d89cb.exe
"C:\Users\Admin\AppData\Local\Temp\495b47032148e8f96a1bc70f085d6d0f5eacc48554ae4b4e76feb1ffe66d89cb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3860
- C:\Users\Admin\AppData\Local\Temp\495b47032148e8f96a1bc70f085d6d0f5eacc48554ae4b4e76feb1ffe66d89cb.exe
  ?
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4328

memory/3860-133-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4328-132-0x0000000000000000-mapping.dmp

Download
memory/4328-134-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/4328-137-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/4328-138-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/4328-139-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/4328-140-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4328-141-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download