cf239f78ac1b7e72e301dd8f0482866e8ff664bc4c9ad7f78648b466dbeef9ff

Analysis

max time kernel
119s
max time network
134s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 15:05

Target

77bc02e8c565cee1288a6f918711136c.exe
Size

28KB
MD5

77bc02e8c565cee1288a6f918711136c
SHA1

50283f269435ed351cd9a04e605ed607617dc744
SHA256

cf239f78ac1b7e72e301dd8f0482866e8ff664bc4c9ad7f78648b466dbeef9ff
SHA512

4b3cb9347d909c2cee960d4726a4800f556f9ae22c610a15fb86febe69281b7c835376e551965fc6d55fbed6a0c9ce0ba5761d62077e4bf78f19106919da344c
SSDEEP

768:5CUb3foaqTPawJG1VdPdEPcurxbjAmKmrV:QUL9qba+GvdPdEUWxbkmZV

Score

7^/10

upx

Deletes itself 1 IoCs

pid	Process
2764	cmd.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2028-0-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/memory/2720-5-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/memory/2720-4-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/memory/2028-13-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/memory/2720-15-0x0000000000400000-0x0000000000415000-memory.dmp	upx

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe:exe.exe	77bc02e8c565cee1288a6f918711136c.exe
File created	C:\Windows\SysWOW64\icf.exe	77bc02e8c565cee1288a6f918711136c.exe
File opened for modification	C:\Windows\SysWOW64\icf.exe	77bc02e8c565cee1288a6f918711136c.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2028 set thread context of 2720	2028	77bc02e8c565cee1288a6f918711136c.exe	28

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2720	2028	77bc02e8c565cee1288a6f918711136c.exe	28
PID 2028 wrote to memory of 2720	2028	77bc02e8c565cee1288a6f918711136c.exe	28
PID 2028 wrote to memory of 2720	2028	77bc02e8c565cee1288a6f918711136c.exe	28
PID 2028 wrote to memory of 2720	2028	77bc02e8c565cee1288a6f918711136c.exe	28
PID 2028 wrote to memory of 2720	2028	77bc02e8c565cee1288a6f918711136c.exe	28
PID 2028 wrote to memory of 2764	2028	77bc02e8c565cee1288a6f918711136c.exe	29
PID 2028 wrote to memory of 2764	2028	77bc02e8c565cee1288a6f918711136c.exe	29
PID 2028 wrote to memory of 2764	2028	77bc02e8c565cee1288a6f918711136c.exe	29
PID 2028 wrote to memory of 2764	2028	77bc02e8c565cee1288a6f918711136c.exe	29

C:\Users\Admin\AppData\Local\Temp\77bc02e8c565cee1288a6f918711136c.exe
"C:\Users\Admin\AppData\Local\Temp\77bc02e8c565cee1288a6f918711136c.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:2720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\2228227.bat
  2⤵
  - Deletes itself
  PID:2764

C:\Users\Admin\AppData\Local\Temp\2228227.bat

Filesize
235B

MD5
6d41571469772284adb1c46c5e71cb80

SHA1
7d38be1e37df1836abcb4b24df2cc1a40c751959

SHA256
309161b6b935c6dc5071e3e4ef9ede4a9d09dcf3676ddc83144023fd63e1305b

SHA512
9c80782655d7066d011c644b46cb99df957c7fcc62b88c08770ab63ab51d38f7eb9690596fb56c38ebdef13e3b663058f36387a52e86959032fc0d4408f4bd70

Download Submit
memory/2028-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2028-13-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2720-1-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2720-5-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2720-4-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2720-15-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download