443d90f0c1b8984fc8056a3650f654a0cd91bfaf1f0587fd54df9e68cf7f2a41

Analysis

max time kernel
128s
max time network
144s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 23:30

Target

06f9d9a2b6a1dab0b9929179b8b89636.exe
Size

9KB
MD5

06f9d9a2b6a1dab0b9929179b8b89636
SHA1

94232bff858505eab6d10171e539974dc2eb581f
SHA256

443d90f0c1b8984fc8056a3650f654a0cd91bfaf1f0587fd54df9e68cf7f2a41
SHA512

04c4352598a087e1e33de921a8ba0c239a2ba213c3fb67c3a98c04f64168d2ac6d401d2c37219fc1a67e645ee0b01ef09892f9cbd173d2e020c696546f3c48fd
SSDEEP

192:V2E8fuG4JTWgrujkf7v9yHq8CZdyD8SVspGH8a99dVIIGKg/QNc6TR:YEBZPrEEvYdb4wuy99d+Q269

Score

7^/10

upx

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1732-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/1732-1-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\multimediaControls.chl\CLSID	06f9d9a2b6a1dab0b9929179b8b89636.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\multimediaControls.chl	06f9d9a2b6a1dab0b9929179b8b89636.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\multimediaControls.chl\CLSID\ = "{6BF52A52-394A-11D3-B153-00C04F79FAA6}"	06f9d9a2b6a1dab0b9929179b8b89636.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1996	1732	06f9d9a2b6a1dab0b9929179b8b89636.exe	17
PID 1732 wrote to memory of 1996	1732	06f9d9a2b6a1dab0b9929179b8b89636.exe	17
PID 1732 wrote to memory of 1996	1732	06f9d9a2b6a1dab0b9929179b8b89636.exe	17
PID 1732 wrote to memory of 1996	1732	06f9d9a2b6a1dab0b9929179b8b89636.exe	17

C:\Users\Admin\AppData\Local\Temp\06f9d9a2b6a1dab0b9929179b8b89636.exe
"C:\Users\Admin\AppData\Local\Temp\06f9d9a2b6a1dab0b9929179b8b89636.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\ctfmon.exe
  ctfmon.exe
  2⤵
  PID:1996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hdyj0.bat" "
  2⤵
  PID:1504

C:\Users\Admin\AppData\Local\Temp\hdyj0.bat

Filesize
274B

MD5
f6c8e958a7b7bea607b6cc538b5844c0

SHA1
a1af471a2c34f5c9f35b3ab25ac90755bcd70614

SHA256
a987234e45116948ea09b1f1d8906d21f4bef76418ab8a87f04c707cc046a311

SHA512
8de782f6786160a9c924d3da8088d60c42367768d1366de39f4b0bec7604fe90a76ed37971be6c60e42e95c1a3c488830a4ae05e9e015cf373effd7f4ecdee47

Download Submit
memory/1732-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1732-1-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download