38512ffcc86b7ac49cab9e0c3dcd395e46dacb989fa94dd026e816755119544d

Analysis

max time kernel
29s
max time network
19s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
21/10/2023, 21:29

Target

NEAS.b2200d78c0a035d1a95db0652159cfe0.exe
Size

93KB
MD5

b2200d78c0a035d1a95db0652159cfe0
SHA1

376e897f240c7a72dc1a8f39bb507444b3d003fb
SHA256

38512ffcc86b7ac49cab9e0c3dcd395e46dacb989fa94dd026e816755119544d
SHA512

17afefce5f03c9d13a0fdf35752ac4b713664e64be18959f03913ec5e0c545bc562ab6f7f1c243905bc98798e1f0356e84d29c196f7a08efcf66015168432d03
SSDEEP

1536:2QxRQHgur/cgllYSNW2F6Q95xdZrqlr24:BRQAuwQ95xdZr0

Score

7^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
2028	yokitoki.exe

Loads dropped DLL 1 IoCs

pid	Process
2068	NEAS.b2200d78c0a035d1a95db0652159cfe0.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2068-0-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/2068-1-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/files/0x000d000000012274-3.dat	upx
behavioral1/files/0x000d000000012274-6.dat	upx
behavioral1/memory/2028-7-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/files/0x000d000000012274-8.dat	upx

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2028	2068	NEAS.b2200d78c0a035d1a95db0652159cfe0.exe	28
PID 2068 wrote to memory of 2028	2068	NEAS.b2200d78c0a035d1a95db0652159cfe0.exe	28
PID 2068 wrote to memory of 2028	2068	NEAS.b2200d78c0a035d1a95db0652159cfe0.exe	28
PID 2068 wrote to memory of 2028	2068	NEAS.b2200d78c0a035d1a95db0652159cfe0.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.b2200d78c0a035d1a95db0652159cfe0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.b2200d78c0a035d1a95db0652159cfe0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\yokitoki.exe
  C:\Users\Admin\AppData\Local\Temp\yokitoki.exe
  2⤵
  - Executes dropped EXE
  PID:2028

C:\Users\Admin\AppData\Local\Temp\yokitoki.exe

Filesize
93KB

MD5
44f2b22dc3804db5ff4fb722aa6123fa

SHA1
efd9b077ce106fc5130114539ab41e2eb2aded99

SHA256
9b4be343caa1ef662aeb6231e8b89e94cc39f126ea9d1aa6ddc52c6cf8ec2909

SHA512
5b63acd7d8ee870f219c0857f0420895731ebf646b2ff49d6c91fef9b81bcc7bb80cf97d8e60b8e5916ebb7882dad86b88bb39553ecb38f61de9496eccf6ce7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yokitoki.exe

Filesize
93KB

MD5
44f2b22dc3804db5ff4fb722aa6123fa

SHA1
efd9b077ce106fc5130114539ab41e2eb2aded99

SHA256
9b4be343caa1ef662aeb6231e8b89e94cc39f126ea9d1aa6ddc52c6cf8ec2909

SHA512
5b63acd7d8ee870f219c0857f0420895731ebf646b2ff49d6c91fef9b81bcc7bb80cf97d8e60b8e5916ebb7882dad86b88bb39553ecb38f61de9496eccf6ce7d

Download Submit
\Users\Admin\AppData\Local\Temp\yokitoki.exe

Filesize
93KB

MD5
44f2b22dc3804db5ff4fb722aa6123fa

SHA1
efd9b077ce106fc5130114539ab41e2eb2aded99

SHA256
9b4be343caa1ef662aeb6231e8b89e94cc39f126ea9d1aa6ddc52c6cf8ec2909

SHA512
5b63acd7d8ee870f219c0857f0420895731ebf646b2ff49d6c91fef9b81bcc7bb80cf97d8e60b8e5916ebb7882dad86b88bb39553ecb38f61de9496eccf6ce7d

Download Submit
memory/2028-7-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2068-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2068-1-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download