bddd019944f8d1a5d33bde6c3204e040d7e64ff04ac1b6e4b27a7dec051e032c

Analysis

max time kernel
94s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 07:43

Target

5d417eb93be5160bff149e97f1a49169.exe
Size

43KB
MD5

5d417eb93be5160bff149e97f1a49169
SHA1

45a005a1b4e5d440155d8a80ae2c3c625a603fdd
SHA256

bddd019944f8d1a5d33bde6c3204e040d7e64ff04ac1b6e4b27a7dec051e032c
SHA512

8187efc3cfc9db0d2de3e984d8d856091bbf7c549325cb0bcad58bf6802e73dd8feb2649d7eac4e8ff9c218f82f4f509ee563c63c73661f7dcdc0318966a17c0
SSDEEP

768:iYeeUpWzliDQvxAtl5fnRgozzWUgnPHcyoU30/oZfc9MmhTAWJRVuNE7ag+x:tDpAP9nWUkPH7o20/afc9M8TAwI0W

Score

7^/10

upx

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/1156-2-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/1156-1-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/1156-0-0x0000000000400000-0x0000000000419000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4648 set thread context of 1156	4648	5d417eb93be5160bff149e97f1a49169.exe	40

Program crash 1 IoCs

pid	pid_target	Process
1416	1156	WerFault.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1156	5d417eb93be5160bff149e97f1a49169.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 1156	4648	5d417eb93be5160bff149e97f1a49169.exe	40
PID 4648 wrote to memory of 1156	4648	5d417eb93be5160bff149e97f1a49169.exe	40
PID 4648 wrote to memory of 1156	4648	5d417eb93be5160bff149e97f1a49169.exe	40
PID 4648 wrote to memory of 1156	4648	5d417eb93be5160bff149e97f1a49169.exe	40
PID 4648 wrote to memory of 1156	4648	5d417eb93be5160bff149e97f1a49169.exe	40
PID 4648 wrote to memory of 1156	4648	5d417eb93be5160bff149e97f1a49169.exe	40
PID 4648 wrote to memory of 1156	4648	5d417eb93be5160bff149e97f1a49169.exe	40
PID 4648 wrote to memory of 1156	4648	5d417eb93be5160bff149e97f1a49169.exe	40

C:\Users\Admin\AppData\Local\Temp\5d417eb93be5160bff149e97f1a49169.exe
"C:\Users\Admin\AppData\Local\Temp\5d417eb93be5160bff149e97f1a49169.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Users\Admin\AppData\Local\Temp\5d417eb93be5160bff149e97f1a49169.exe
  "C:\Users\Admin\AppData\Local\Temp\5d417eb93be5160bff149e97f1a49169.exe"
  2⤵
  - Suspicious use of UnmapMainImage
  PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1156 -ip 1156
1⤵
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 12
1⤵
- Program crash
PID:1416

memory/1156-2-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1156-1-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1156-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4648-4-0x0000000000040000-0x0000000000051000-memory.dmp

Filesize
68KB

Download