a536214e566008d71371a5abdfb3c2c025c9af1789fbfe85bdb593c030dc7a64

Analysis

max time kernel
141s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 22:55

Target

063ee4ca1a6deb61126427dbb51337c0.exe
Size

221KB
MD5

063ee4ca1a6deb61126427dbb51337c0
SHA1

866bc357a5db598b43fb1e660ef00f8fcdee9c7c
SHA256

a536214e566008d71371a5abdfb3c2c025c9af1789fbfe85bdb593c030dc7a64
SHA512

4f3a3336216223d08209d84bb6927eac56faad0366aaa2254e186d76cecea2ebbff35a2874553da13b61808ec4d392e10dc14e6fd05931fd898929ae056c403d
SSDEEP

3072:H2kwqLcXh3Sd81YPGr+6sQ2jZIzgj1R0HLMyG1KkFbrH5om38zJGFSHj9o6C:WkNLmls0gt6GHRXL1K6rZoK8zeSD9o6

Score

7^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
544	ddddddddd.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/1124-0-0x0000000010000000-0x000000001009F000-memory.dmp	upx
behavioral2/files/0x0007000000023225-4.dat	upx
behavioral2/memory/1124-8-0x0000000010000000-0x000000001009F000-memory.dmp	upx
behavioral2/memory/544-7-0x0000000010000000-0x000000001009F000-memory.dmp	upx
behavioral2/memory/544-5-0x0000000010000000-0x000000001009F000-memory.dmp	upx
behavioral2/files/0x0007000000023225-3.dat	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ddddddddd.exe	ddddddddd.exe
File created	C:\Windows\SysWOW64\ddddddddd.exe	063ee4ca1a6deb61126427dbb51337c0.exe
File opened for modification	C:\Windows\SysWOW64\ddddddddd.exe	063ee4ca1a6deb61126427dbb51337c0.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 4976	544	ddddddddd.exe	22
PID 544 wrote to memory of 4976	544	ddddddddd.exe	22
PID 544 wrote to memory of 4976	544	ddddddddd.exe	22
PID 1124 wrote to memory of 2228	1124	063ee4ca1a6deb61126427dbb51337c0.exe	16
PID 1124 wrote to memory of 2228	1124	063ee4ca1a6deb61126427dbb51337c0.exe	16
PID 1124 wrote to memory of 2228	1124	063ee4ca1a6deb61126427dbb51337c0.exe	16

C:\Users\Admin\AppData\Local\Temp\063ee4ca1a6deb61126427dbb51337c0.exe
"C:\Users\Admin\AppData\Local\Temp\063ee4ca1a6deb61126427dbb51337c0.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\063ee4ca1a6deb61126427dbb51337c0.exe"
  2⤵
  PID:2228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\ddddddddd.exe"
1⤵
PID:4976

C:\Windows\SysWOW64\ddddddddd.exe

Filesize
31KB

MD5
28ebf058cc878a4d9fcc496e89079829

SHA1
316b385fbbbe220f97e691c5cb19f30b0a8ef23c

SHA256
36dd8a84884cf43502d5add7d7cdbeaa0e93ae2245df0da39834b877a94b2c83

SHA512
031381512a8222426dac1c68dc9db6c7b862a07959c2c35aa9b7ea285ceff015c37fcec19d6300107d921567429a69dbdf82386a752257e2f9b7b6dfe6e6a820

Download Submit
C:\Windows\SysWOW64\ddddddddd.exe

Filesize
8KB

MD5
c2a8bbd3cc7e816600b379377b4a72ed

SHA1
04368867dbec5c7096d29424dac64eaabb3d0a12

SHA256
c8298ca11b73238654093882a9ff0e9bc1c0fe940a1e1b266390dca72e6761d5

SHA512
9d22c48a08cc50e5608cd0408560dce59e32d99e969a9a5fda90a0e9b53f769165773a5d8ef26de5ea4294cc4cb133d4f9aa6c5bd7fb8bcbe9448f441f74cf8a

Download Submit
memory/544-7-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/544-6-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/544-5-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1124-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1124-8-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1124-2-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download