b097ed632f075da65f97cfdf8a504553fd9b4758077d3d36bcfd1649cd902cb8

Analysis

max time kernel
72s
max time network
79s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2023, 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

flappy-bird_release.exe
Size

1.4MB
MD5

b3d3982e3dfda360bb93aa924860712f
SHA1

dd6bfbc5d14591601034fa3d1d210da401b5030d
SHA256

b097ed632f075da65f97cfdf8a504553fd9b4758077d3d36bcfd1649cd902cb8
SHA512

98672478aa15f341770a3b3f7478f719a49d42661dc6995ba23b7ac064ccb8482d526643684e05c75b0f5c362f14e9f5dbc5a34e88d6a80132a2032789792fc7
SSDEEP

24576:vs4jj+WT7BEU93pbkHyfFxs2vxpsAXgTan3etmCrU5mv7Bobi38:v4Y7Bppu2ZiAwS7CoI

Score

7^/10

upx

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1176	flappy-bird_release.exe
1176	flappy-bird_release.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1176-136-0x0000000010000000-0x0000000010092000-memory.dmp	upx
behavioral2/memory/1176-143-0x0000000004C40000-0x0000000004C57000-memory.dmp	upx
behavioral2/memory/1176-145-0x0000000010000000-0x0000000010092000-memory.dmp	upx
behavioral2/memory/1176-146-0x0000000010000000-0x0000000010092000-memory.dmp	upx
behavioral2/memory/1176-147-0x0000000004C40000-0x0000000004C57000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
1176	flappy-bird_release.exe
1176	flappy-bird_release.exe
1176	flappy-bird_release.exe
1176	flappy-bird_release.exe
1176	flappy-bird_release.exe
1176	flappy-bird_release.exe
1176	flappy-bird_release.exe
1176	flappy-bird_release.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1176	flappy-bird_release.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 624	1176	flappy-bird_release.exe	84
PID 1176 wrote to memory of 624	1176	flappy-bird_release.exe	84
PID 1176 wrote to memory of 624	1176	flappy-bird_release.exe	84
PID 1176 wrote to memory of 4756	1176	flappy-bird_release.exe	92
PID 1176 wrote to memory of 4756	1176	flappy-bird_release.exe	92
PID 1176 wrote to memory of 4756	1176	flappy-bird_release.exe	92
PID 1176 wrote to memory of 968	1176	flappy-bird_release.exe	93
PID 1176 wrote to memory of 968	1176	flappy-bird_release.exe	93
PID 1176 wrote to memory of 968	1176	flappy-bird_release.exe	93
PID 1176 wrote to memory of 2556	1176	flappy-bird_release.exe	94
PID 1176 wrote to memory of 2556	1176	flappy-bird_release.exe	94
PID 1176 wrote to memory of 2556	1176	flappy-bird_release.exe	94
PID 1176 wrote to memory of 2180	1176	flappy-bird_release.exe	95
PID 1176 wrote to memory of 2180	1176	flappy-bird_release.exe	95
PID 1176 wrote to memory of 2180	1176	flappy-bird_release.exe	95
PID 1176 wrote to memory of 4764	1176	flappy-bird_release.exe	96
PID 1176 wrote to memory of 4764	1176	flappy-bird_release.exe	96
PID 1176 wrote to memory of 4764	1176	flappy-bird_release.exe	96
PID 1176 wrote to memory of 3192	1176	flappy-bird_release.exe	97
PID 1176 wrote to memory of 3192	1176	flappy-bird_release.exe	97
PID 1176 wrote to memory of 3192	1176	flappy-bird_release.exe	97
PID 1176 wrote to memory of 2876	1176	flappy-bird_release.exe	98
PID 1176 wrote to memory of 2876	1176	flappy-bird_release.exe	98
PID 1176 wrote to memory of 2876	1176	flappy-bird_release.exe	98
PID 1176 wrote to memory of 5076	1176	flappy-bird_release.exe	99
PID 1176 wrote to memory of 5076	1176	flappy-bird_release.exe	99
PID 1176 wrote to memory of 5076	1176	flappy-bird_release.exe	99
PID 1176 wrote to memory of 4820	1176	flappy-bird_release.exe	100
PID 1176 wrote to memory of 4820	1176	flappy-bird_release.exe	100
PID 1176 wrote to memory of 4820	1176	flappy-bird_release.exe	100

C:\Users\Admin\AppData\Local\Temp\flappy-bird_release.exe
"C:\Users\Admin\AppData\Local\Temp\flappy-bird_release.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c pause >nul
  2⤵
  PID:968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c pause >nul
  2⤵
  PID:4764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c pause >nul
  2⤵
  PID:5076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\evbD2E6.tmp

Filesize
1KB

MD5
087985729384de0812312352081efe0f

SHA1
b5241010c5e6e0f4f340f6192c3fff1ad778b299

SHA256
8dab4343a0e147d8ab9a34602abf5428ae5b22c8cb737ab66ba7ed8bed1ce53b

SHA512
ffe372c9f4c6be019efdb691e18b21b3870728d16b7dcae506830a82c0cf8d56ec340b67dfb72fba2447d91ef0db3355a306b54d6ca70ab4d044d50935507305

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbD393.tmp

Filesize
1KB

MD5
da6254e235341c70cc9b8c825e8b12c3

SHA1
01ce7386aae31b7987c459fa0816cd80cbb96534

SHA256
3c8b45cb7a57ecd21cd6f9a91f773486e5d7c16b78a76174dd79c9dc43c03019

SHA512
b6023af406032964c95e4df92f85633f111923cd31731f63dee46322b6136e870759d9e7efecda4a0a267ded4325ff8ad09b565d4de85ff428d82ee5a50ee694

Download Submit
memory/1176-146-0x0000000010000000-0x0000000010092000-memory.dmp

Filesize
584KB

Download
memory/1176-138-0x0000000000C80000-0x000000000110A000-memory.dmp

Filesize
4.5MB

Download
memory/1176-143-0x0000000004C40000-0x0000000004C57000-memory.dmp

Filesize
92KB

Download
memory/1176-145-0x0000000010000000-0x0000000010092000-memory.dmp

Filesize
584KB

Download
memory/1176-136-0x0000000010000000-0x0000000010092000-memory.dmp

Filesize
584KB

Download
memory/1176-147-0x0000000004C40000-0x0000000004C57000-memory.dmp

Filesize
92KB

Download
memory/1176-148-0x0000000000C80000-0x000000000110A000-memory.dmp

Filesize
4.5MB

Download
memory/1176-151-0x0000000000C80000-0x000000000110A000-memory.dmp

Filesize
4.5MB

Download
memory/1176-152-0x0000000000C80000-0x000000000110A000-memory.dmp

Filesize
4.5MB

Download
memory/1176-155-0x0000000000C80000-0x000000000110A000-memory.dmp

Filesize
4.5MB

Download
memory/1176-158-0x0000000000C80000-0x000000000110A000-memory.dmp

Filesize
4.5MB

Download
memory/1176-161-0x0000000000C80000-0x000000000110A000-memory.dmp

Filesize
4.5MB

Download
memory/1176-164-0x0000000000C80000-0x000000000110A000-memory.dmp

Filesize
4.5MB

Download