a536214e566008d71371a5abdfb3c2c025c9af1789fbfe85bdb593c030dc7a64

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 22:55

Target

063ee4ca1a6deb61126427dbb51337c0.exe
Size

221KB
MD5

063ee4ca1a6deb61126427dbb51337c0
SHA1

866bc357a5db598b43fb1e660ef00f8fcdee9c7c
SHA256

a536214e566008d71371a5abdfb3c2c025c9af1789fbfe85bdb593c030dc7a64
SHA512

4f3a3336216223d08209d84bb6927eac56faad0366aaa2254e186d76cecea2ebbff35a2874553da13b61808ec4d392e10dc14e6fd05931fd898929ae056c403d
SSDEEP

3072:H2kwqLcXh3Sd81YPGr+6sQ2jZIzgj1R0HLMyG1KkFbrH5om38zJGFSHj9o6C:WkNLmls0gt6GHRXL1K6rZoK8zeSD9o6

Score

7^/10

upx

Deletes itself 1 IoCs

pid	Process
2548	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2116	ddddddddd.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1948-0-0x0000000010000000-0x000000001009F000-memory.dmp	upx
behavioral1/files/0x0009000000012248-3.dat	upx
behavioral1/memory/1948-6-0x0000000010000000-0x000000001009F000-memory.dmp	upx
behavioral1/memory/2116-7-0x0000000010000000-0x000000001009F000-memory.dmp	upx
behavioral1/memory/1948-12-0x0000000010000000-0x000000001009F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ddddddddd.exe	063ee4ca1a6deb61126427dbb51337c0.exe
File opened for modification	C:\Windows\SysWOW64\ddddddddd.exe	063ee4ca1a6deb61126427dbb51337c0.exe
File created	C:\Windows\SysWOW64\ddddddddd.exe	ddddddddd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2548	1948	063ee4ca1a6deb61126427dbb51337c0.exe	29
PID 1948 wrote to memory of 2548	1948	063ee4ca1a6deb61126427dbb51337c0.exe	29
PID 1948 wrote to memory of 2548	1948	063ee4ca1a6deb61126427dbb51337c0.exe	29
PID 1948 wrote to memory of 2548	1948	063ee4ca1a6deb61126427dbb51337c0.exe	29

C:\Users\Admin\AppData\Local\Temp\063ee4ca1a6deb61126427dbb51337c0.exe
"C:\Users\Admin\AppData\Local\Temp\063ee4ca1a6deb61126427dbb51337c0.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\063ee4ca1a6deb61126427dbb51337c0.exe"
  2⤵
  - Deletes itself
  PID:2548

C:\Windows\SysWOW64\ddddddddd.exe

Filesize
221KB

MD5
063ee4ca1a6deb61126427dbb51337c0

SHA1
866bc357a5db598b43fb1e660ef00f8fcdee9c7c

SHA256
a536214e566008d71371a5abdfb3c2c025c9af1789fbfe85bdb593c030dc7a64

SHA512
4f3a3336216223d08209d84bb6927eac56faad0366aaa2254e186d76cecea2ebbff35a2874553da13b61808ec4d392e10dc14e6fd05931fd898929ae056c403d

Download Submit
memory/1948-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1948-1-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1948-6-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1948-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1948-12-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2116-5-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2116-7-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download