c260718529a17dbc9422d74722db007d6c426ff5d553a66ed63842a712ec0b28

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 03:22

Target

0cd3413bc13ff2fe72fb4818d901fbe4.exe
Size

8KB
MD5

0cd3413bc13ff2fe72fb4818d901fbe4
SHA1

4d9b87344fb7abfa4577bc3adf5b22d8f5beca82
SHA256

c260718529a17dbc9422d74722db007d6c426ff5d553a66ed63842a712ec0b28
SHA512

0657cb9faf365259c590296e8ceeeae848d8773676e729b67dbc9755b0cd4e633478fcc883e6206b2451e77f4b926bea960bbacd8b8ff0ebd6f41ee74f6b1cf4
SSDEEP

192:8Qkt0sTlIJCBwcrpcgATYwyKXqast59ELWBJmjGhZL2B:8ft0spfrpcgMBat59yWPmjSVy

Score

7^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
4552	winl0g0n.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/2484-0-0x0000000013140000-0x0000000013149000-memory.dmp	upx
behavioral2/files/0x0011000000023169-8.dat	upx
behavioral2/memory/4552-10-0x0000000013140000-0x0000000013149000-memory.dmp	upx
behavioral2/memory/4552-14-0x0000000013140000-0x0000000013149000-memory.dmp	upx
behavioral2/memory/2484-15-0x0000000013140000-0x0000000013149000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winl0g0n.exe	0cd3413bc13ff2fe72fb4818d901fbe4.exe
File created	C:\Windows\winl0g0n.exe	0cd3413bc13ff2fe72fb4818d901fbe4.exe
File opened for modification	C:\Windows\winl0g0n.exe	winl0g0n.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4552	winl0g0n.exe
4552	winl0g0n.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2484	0cd3413bc13ff2fe72fb4818d901fbe4.exe
4552	winl0g0n.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2260	2484	0cd3413bc13ff2fe72fb4818d901fbe4.exe	97
PID 2484 wrote to memory of 2260	2484	0cd3413bc13ff2fe72fb4818d901fbe4.exe	97
PID 2484 wrote to memory of 2260	2484	0cd3413bc13ff2fe72fb4818d901fbe4.exe	97
PID 2484 wrote to memory of 4552	2484	0cd3413bc13ff2fe72fb4818d901fbe4.exe	98
PID 2484 wrote to memory of 4552	2484	0cd3413bc13ff2fe72fb4818d901fbe4.exe	98
PID 2484 wrote to memory of 4552	2484	0cd3413bc13ff2fe72fb4818d901fbe4.exe	98
PID 4552 wrote to memory of 3468	4552	winl0g0n.exe	28
PID 4552 wrote to memory of 3468	4552	winl0g0n.exe	28
PID 4552 wrote to memory of 3468	4552	winl0g0n.exe	28

C:\Users\Admin\AppData\Local\Temp\Del.bat

Filesize
124B

MD5
c8ca5e9254d686cceb3005343ad1606b

SHA1
c231c72029d84f97e711c68c65201db0339e36b1

SHA256
d846f027c003a7a65148eec3f1e8403ac069fed52041383d12b48f02e163bbb9

SHA512
cb21716f4409c5a322f5c6b0fef83b1809e57129b1c581a20ce1a1e26126a5f681c4a0a96a14f65cefd19e888540a2c0816eb57bfbb6e2bebca05245d940be9f

Download Submit
C:\Windows\winl0g0n.exe

Filesize
8KB

MD5
0cd3413bc13ff2fe72fb4818d901fbe4

SHA1
4d9b87344fb7abfa4577bc3adf5b22d8f5beca82

SHA256
c260718529a17dbc9422d74722db007d6c426ff5d553a66ed63842a712ec0b28

SHA512
0657cb9faf365259c590296e8ceeeae848d8773676e729b67dbc9755b0cd4e633478fcc883e6206b2451e77f4b926bea960bbacd8b8ff0ebd6f41ee74f6b1cf4

Download Submit
memory/2484-0-0x0000000013140000-0x0000000013149000-memory.dmp

Filesize
36KB

Download
memory/2484-15-0x0000000013140000-0x0000000013149000-memory.dmp

Filesize
36KB

Download
memory/4552-10-0x0000000013140000-0x0000000013149000-memory.dmp

Filesize
36KB

Download
memory/4552-14-0x0000000013140000-0x0000000013149000-memory.dmp

Filesize
36KB

Download