3cd09d06006e65af26cc8a600b69209bffa46412f41d5f97fc256204ca08aabf

Analysis

max time kernel
91s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2022, 18:47

Target

Off.exe
Size

22KB
MD5

166d27e7cbe01bfce200e98be9203a87
SHA1

ac0330713d29a93a3fb669e831726626f62033b6
SHA256

3cd09d06006e65af26cc8a600b69209bffa46412f41d5f97fc256204ca08aabf
SHA512

e806b2ed07e72b697ee144f83684c24767b46b93ddba96ecb9e681d3eb0e2a98b6f5c6ef240197911828de844f31d97aa8798094ae5818dea67c651f5c6457c5
SSDEEP

384:1bCEXMMADQIrUeNFwx9E5xtT6fkCMst8AdxIiv4dK8y8KG8szTO4Am7UnwtzwGpE:l1NAUsbxtT6sFst/3IrdlLUw1QnbcuyT

Score

8^/10

upx

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/1812-133-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/1812-137-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\DXM.REG	cmd.exe
File opened for modification	C:\Windows\DXM.reg	cmd.exe

Runs .reg file with regedit 1 IoCs

pid	Process
4272	regedit.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 5004	1812	Off.exe	83
PID 1812 wrote to memory of 5004	1812	Off.exe	83
PID 1812 wrote to memory of 5004	1812	Off.exe	83
PID 5004 wrote to memory of 4272	5004	cmd.exe	84
PID 5004 wrote to memory of 4272	5004	cmd.exe	84
PID 5004 wrote to memory of 4272	5004	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\Off.exe
"C:\Users\Admin\AppData\Local\Temp\Off.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6769.tmp\Off.bat""
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\Windows\DXM.reg
    3⤵
    - Runs .reg file with regedit
    PID:4272

C:\Users\Admin\AppData\Local\Temp\6769.tmp\Off.bat

Filesize
416B

MD5
ffe2d38331e1b3fc31cf954237ef1d01

SHA1
c20cf330b18df6ccfec2f956244a1c2af4cd445f

SHA256
de5a1043764f64bd0962a87729d3c7bb437398b59b50bbed48dbfec9a27e4d9f

SHA512
c6ca6712b190d9966b1a6a10e18b92ee6b685236a5d93c52e3cdcec07b41e7ded6795022bb2212c0e0b8d543ab78a7ff6f2a3776f8181bbfbed1d052f8f4289c

Download Submit
C:\Windows\DXM.REG

Filesize
235B

MD5
c12e7d7aa537c0e1f2ba2fe31ea288d7

SHA1
ae31e917c3abb001c76a20eae2db4374b834254b

SHA256
b2eae9be6ed47923aeb6fe61b27f216d1b53c97a0c785b6e1a0a3fba0166b57c

SHA512
c6ca32f63f3705777abac0f0d05e0213290581c9503af24457ac51cf7ce2b2034b10c8813f42588ebc039f63cdf32f1198c8a98a09a153c2ed3ac486a3f67b3e

Download Submit
memory/1812-133-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1812-137-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download