53f5c39d920bc028011e540a23f563e35a8fb1fb3eb8d94e6138874cefa81431

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 02:32

Target

0bc5e87ac979995aa21f50ff148bb0b2.exe
Size

22KB
MD5

0bc5e87ac979995aa21f50ff148bb0b2
SHA1

7d93bb99610d5f0f0c40c206cc88f6d6fbceda3b
SHA256

53f5c39d920bc028011e540a23f563e35a8fb1fb3eb8d94e6138874cefa81431
SHA512

e236f4b6aad4d0e2e73f27eb9fe69d4eec36138ec9a818f15c8908c692acc46a9d075d770fdf6a6d8710b1cb800d4525fb4a5904e65f3abab5641d9d5102c497
SSDEEP

384:bPGOXEqpmTwT/IcO8lBTexuDWRaRqGjcqIpBjEvXkSwea5Id2WDfQFkZ4cQnwqgS:bPlXiTwT/sxuqRryLweXx8FMRQn

Score

7^/10

upx

Deletes itself 1 IoCs

pid	Process
2388	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2732-0-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/memory/2732-10-0x0000000000400000-0x0000000000415000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Downdll.dll	0bc5e87ac979995aa21f50ff148bb0b2.exe
File created	C:\Windows\SysWOW64\Downdll.dll	0bc5e87ac979995aa21f50ff148bb0b2.exe
File created	C:\Windows\SysWOW64\Delme.bat	0bc5e87ac979995aa21f50ff148bb0b2.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2732	0bc5e87ac979995aa21f50ff148bb0b2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	0bc5e87ac979995aa21f50ff148bb0b2.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2388	2732	0bc5e87ac979995aa21f50ff148bb0b2.exe	29
PID 2732 wrote to memory of 2388	2732	0bc5e87ac979995aa21f50ff148bb0b2.exe	29
PID 2732 wrote to memory of 2388	2732	0bc5e87ac979995aa21f50ff148bb0b2.exe	29
PID 2732 wrote to memory of 2388	2732	0bc5e87ac979995aa21f50ff148bb0b2.exe	29

C:\Users\Admin\AppData\Local\Temp\0bc5e87ac979995aa21f50ff148bb0b2.exe
"C:\Users\Admin\AppData\Local\Temp\0bc5e87ac979995aa21f50ff148bb0b2.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Delme.bat
  2⤵
  - Deletes itself
  PID:2388

C:\Windows\SysWOW64\Delme.bat

Filesize
184B

MD5
e6c2809574897ae08d4188f3635f6857

SHA1
8559a70a1ee86f4c4f2f15db0a2ca7aa8b18529b

SHA256
2a344d6084a16b8d8c01138bdfa8ea8ed779caaa84c2c40bf2a6b85f2bbdd396

SHA512
19e45dee93e0fbcd8f63e26448a484ac146f3c3089d848124fa6bcfdc3e65fd44c92b8c46d237abe0286e72e63d1e04ab0f2d1af666dab093106b8ead85f7f7a

Download Submit
memory/2732-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2732-10-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download