d880f67d0ea30bc1e96a21220be6626213ec4aeb65c4f6659056d555db37143c

Analysis

max time kernel
210s
max time network
252s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 03:23

Target

0cd93dec5db32a18f796b7d7e127b051.exe
Size

71KB
MD5

0cd93dec5db32a18f796b7d7e127b051
SHA1

3d4b90d02f0435498edf5b1c8c0d37b4534850ed
SHA256

d880f67d0ea30bc1e96a21220be6626213ec4aeb65c4f6659056d555db37143c
SHA512

521b94fca00b7f68bd18df9a762d1f8e74e3f0ec8a0730367ddc26e603be292333393ccd78c4aeecec70ef752d574b8daa6fca9cee69e8b72d39bb05c94a647a
SSDEEP

1536:YwceqPmRNa4B1sD8na7+ntsJF5hcIP9qh0wFwzTb:YteqPedB1M8na+tsv5Zlg6Tb

Score

7^/10

upx

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/3764-0-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral2/memory/3764-3-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral2/memory/3764-5-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral2/memory/3764-6-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral2/files/0x0009000000023131-9.dat	upx
behavioral2/memory/3764-10-0x0000000000400000-0x0000000000451000-memory.dmp	upx

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3764 wrote to memory of 3424	3764	0cd93dec5db32a18f796b7d7e127b051.exe	95
PID 3764 wrote to memory of 3424	3764	0cd93dec5db32a18f796b7d7e127b051.exe	95
PID 3764 wrote to memory of 3424	3764	0cd93dec5db32a18f796b7d7e127b051.exe	95
PID 3764 wrote to memory of 1996	3764	0cd93dec5db32a18f796b7d7e127b051.exe	94
PID 3764 wrote to memory of 1996	3764	0cd93dec5db32a18f796b7d7e127b051.exe	94
PID 3764 wrote to memory of 1996	3764	0cd93dec5db32a18f796b7d7e127b051.exe	94
PID 3764 wrote to memory of 460	3764	0cd93dec5db32a18f796b7d7e127b051.exe	96
PID 3764 wrote to memory of 460	3764	0cd93dec5db32a18f796b7d7e127b051.exe	96
PID 3764 wrote to memory of 460	3764	0cd93dec5db32a18f796b7d7e127b051.exe	96

C:\Users\Admin\AppData\Local\Temp\0cd93dec5db32a18f796b7d7e127b051.exe
"C:\Users\Admin\AppData\Local\Temp\0cd93dec5db32a18f796b7d7e127b051.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy "C:\Users\Admin\AppData\Local\Temp\0cd93dec5db32a18f796b7d7e127b051.exe" "C:\Users\Admin\AppData\Local\Temp\system.exe"
  2⤵
  PID:1996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c if exist "C:\Users\Admin\AppData\Local\Temp\system.exe" ren "C:\Users\Admin\AppData\Local\Temp\system.exe" "6787.bak"
  2⤵
  PID:3424
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\system.exe"
  2⤵
  PID:460

C:\Users\Admin\AppData\Local\Temp\system.exe

Filesize
71KB

MD5
0cd93dec5db32a18f796b7d7e127b051

SHA1
3d4b90d02f0435498edf5b1c8c0d37b4534850ed

SHA256
d880f67d0ea30bc1e96a21220be6626213ec4aeb65c4f6659056d555db37143c

SHA512
521b94fca00b7f68bd18df9a762d1f8e74e3f0ec8a0730367ddc26e603be292333393ccd78c4aeecec70ef752d574b8daa6fca9cee69e8b72d39bb05c94a647a

Download Submit
memory/3764-0-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3764-2-0x0000000000770000-0x0000000000870000-memory.dmp

Filesize
1024KB

Download
memory/3764-3-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3764-5-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3764-6-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3764-10-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download