7312d3ac818d44fa2f90cb4f610c23d89bedb2c76dd19bc3ecfde30a15036dc7

Analysis

max time kernel
148s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 20:53

Target

1c4254f7796ec1f9f03f21c873766613.exe
Size

284KB
MD5

1c4254f7796ec1f9f03f21c873766613
SHA1

e3cdb4ab6888156f35b66ec4b2120e5dd1f9b96a
SHA256

7312d3ac818d44fa2f90cb4f610c23d89bedb2c76dd19bc3ecfde30a15036dc7
SHA512

8dc43a7021ccb7478745e599670941e9930f1e51ac84915c61a58d3d929f8b7539fbcbf0ce3fb59202d9e46286d74655b212752f9de165975fa56f0663e79484
SSDEEP

6144:tyrf5tfsZxQ0BI/04stNE25KeD1i4Ofy59BDcspPU8CP0G9:qRN0BxYQ/QWO8CP0C

Score

7^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
1872	R_Server.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/2960-0-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/files/0x000300000001e982-5.dat	upx
behavioral2/memory/1872-10-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/2960-12-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/1872-7-0x0000000000400000-0x00000000004C4000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Deleteme.bat	1c4254f7796ec1f9f03f21c873766613.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe	1c4254f7796ec1f9f03f21c873766613.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe	1c4254f7796ec1f9f03f21c873766613.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 1872	2960	1c4254f7796ec1f9f03f21c873766613.exe	23
PID 2960 wrote to memory of 1872	2960	1c4254f7796ec1f9f03f21c873766613.exe	23
PID 2960 wrote to memory of 1872	2960	1c4254f7796ec1f9f03f21c873766613.exe	23
PID 1872 wrote to memory of 1352	1872	R_Server.exe	22
PID 1872 wrote to memory of 1352	1872	R_Server.exe	22
PID 2960 wrote to memory of 4476	2960	1c4254f7796ec1f9f03f21c873766613.exe	21
PID 2960 wrote to memory of 4476	2960	1c4254f7796ec1f9f03f21c873766613.exe	21
PID 2960 wrote to memory of 4476	2960	1c4254f7796ec1f9f03f21c873766613.exe	21

C:\Users\Admin\AppData\Local\Temp\1c4254f7796ec1f9f03f21c873766613.exe
"C:\Users\Admin\AppData\Local\Temp\1c4254f7796ec1f9f03f21c873766613.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\Deleteme.bat
  2⤵
  PID:4476
- C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1872

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:1352

memory/1872-10-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1872-8-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/1872-7-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2960-0-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2960-12-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2960-3-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download