ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51

Analysis

max time kernel
46s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe
Size

1.2MB
MD5

c20fe4f4b03aa040b1bb166d28765eaf
SHA1

af9ad071dfe6c1c16bf000d777710a6d8aee8124
SHA256

ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51
SHA512

8f79ba5275971ef8eb6bd16ba98c6db89cd45a475bff78062a94f62673dc7d18839e3ba5b02147baebad484838f6adcb30ac6b66d5b8ae43b9e84ddffd58317c
SSDEEP

24576:N/rrMYs71CVzJrg4vX3IHmNSx8VDBEwjK6wT8coLKqg+BsimJcwm6Al:NDr5s6rX3hNSCxBEF6BOXSrWql

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1028-55-0x0000000000400000-0x00000000009B8000-memory.dmp	upx
behavioral1/memory/1028-67-0x0000000000400000-0x00000000009B8000-memory.dmp	upx
behavioral1/memory/1028-70-0x0000000000400000-0x00000000009B8000-memory.dmp	upx
behavioral1/memory/2036-71-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2036-75-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2036-76-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2036-82-0x0000000000400000-0x0000000000427000-memory.dmp	upx

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1028 set thread context of 944	1028	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe	27
PID 1028 set thread context of 0	1028	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe
PID 944 set thread context of 2036	944	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe	28
PID 2036 set thread context of 1760	2036	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe	29

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1028	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe
944	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe
2036	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 944	1028	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe	27
PID 1028 wrote to memory of 944	1028	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe	27
PID 1028 wrote to memory of 944	1028	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe	27
PID 1028 wrote to memory of 944	1028	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe	27
PID 1028 wrote to memory of 944	1028	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe	27
PID 1028 wrote to memory of 944	1028	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe	27
PID 1028 wrote to memory of 944	1028	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe	27
PID 1028 wrote to memory of 944	1028	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe	27
PID 1028 wrote to memory of 944	1028	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe	27
PID 1028 wrote to memory of 944	1028	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe	27
PID 1028 wrote to memory of 0	1028	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe
PID 1028 wrote to memory of 0	1028	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe
PID 1028 wrote to memory of 0	1028	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe
PID 1028 wrote to memory of 0	1028	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe
PID 1028 wrote to memory of 0	1028	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe
PID 1028 wrote to memory of 0	1028	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe
PID 944 wrote to memory of 2036	944	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe	28
PID 944 wrote to memory of 2036	944	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe	28
PID 944 wrote to memory of 2036	944	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe	28
PID 944 wrote to memory of 2036	944	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe	28
PID 944 wrote to memory of 2036	944	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe	28
PID 944 wrote to memory of 2036	944	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe	28
PID 944 wrote to memory of 2036	944	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe	28
PID 944 wrote to memory of 2036	944	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe	28
PID 944 wrote to memory of 2036	944	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe	28
PID 2036 wrote to memory of 1760	2036	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe	29
PID 2036 wrote to memory of 1760	2036	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe	29
PID 2036 wrote to memory of 1760	2036	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe	29
PID 2036 wrote to memory of 1760	2036	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe	29
PID 2036 wrote to memory of 1760	2036	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe	29
PID 2036 wrote to memory of 1760	2036	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe	29
PID 2036 wrote to memory of 1760	2036	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe	29
PID 2036 wrote to memory of 1760	2036	ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe	29

C:\Users\Admin\AppData\Local\Temp\ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe
"C:\Users\Admin\AppData\Local\Temp\ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Users\Admin\AppData\Local\Temp\ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe
  "C:\Users\Admin\AppData\Local\Temp\ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Users\Admin\AppData\Local\Temp\ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe
    C:\Users\Admin\AppData\Local\Temp\ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe
      C:\Users\Admin\AppData\Local\Temp\ec185837e2c651e387ac4f49d6e172c793c1bcb2e493ebb9a800249656d2df51.exe
      4⤵
      PID:1760

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/0-66-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/944-58-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/944-74-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/944-61-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/944-62-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/944-63-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/944-64-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/944-65-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/1028-57-0x0000000002FC0000-0x0000000003578000-memory.dmp

Filesize
5.7MB

Download
memory/1028-67-0x0000000000400000-0x00000000009B8000-memory.dmp

Filesize
5.7MB

Download
memory/1028-70-0x0000000000400000-0x00000000009B8000-memory.dmp

Filesize
5.7MB

Download
memory/1028-55-0x0000000000400000-0x00000000009B8000-memory.dmp

Filesize
5.7MB

Download
memory/1760-79-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1760-83-0x0000000000400000-0x00000000004083A0-memory.dmp

Filesize
32KB

Download
memory/1760-84-0x0000000000400000-0x00000000004083A0-memory.dmp

Filesize
32KB

Download
memory/1760-85-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download
memory/1760-86-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2036-75-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2036-76-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2036-71-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2036-82-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2036-87-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download