c30cf50680c1d7c54fd26b3262376ab32867ca31fdd67a7b4b3502bf5c91ac1e

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 02:07

Target

23effee2787e50874b468c9022dd0de3.exe
Size

30KB
MD5

23effee2787e50874b468c9022dd0de3
SHA1

e4411aa9b0f6af82ac87af519b05b4e2a81a93ab
SHA256

c30cf50680c1d7c54fd26b3262376ab32867ca31fdd67a7b4b3502bf5c91ac1e
SHA512

1a61aea551cdbf4fafce4f823c6da2c57dc4ef9edffcdb82aa752fbc1f0b3dcc35b510f873db627db8cb6aae10081b6b944c0567eb6a2ab599271a50ab13929a
SSDEEP

768:KxLAXLHDcYe+XZjWJeaZgc9mHDVekM8dk:KxLgHDcB+XZjWJlgc9q8kD

Score

7^/10

upx

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000f00000001e59d-4.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
2832	23effee2787e50874b468c9022dd0de3.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/2832-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/2832-1-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x000f00000001e59d-4.dat	upx
behavioral2/memory/2832-8-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HoRa64W7.dll	23effee2787e50874b468c9022dd0de3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2832	23effee2787e50874b468c9022dd0de3.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 2804	2832	23effee2787e50874b468c9022dd0de3.exe	102
PID 2832 wrote to memory of 2804	2832	23effee2787e50874b468c9022dd0de3.exe	102
PID 2832 wrote to memory of 2804	2832	23effee2787e50874b468c9022dd0de3.exe	102

C:\Users\Admin\AppData\Local\Temp\23effee2787e50874b468c9022dd0de3.exe
"C:\Users\Admin\AppData\Local\Temp\23effee2787e50874b468c9022dd0de3.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\23EFFE~1.EXE > nul
  2⤵
  PID:2804

C:\Windows\SysWOW64\HoRa64W7.dll

Filesize
28KB

MD5
21c2d3e4ca2bf2217afcb459a72c538c

SHA1
aceefe9b1b9a8b40c6d8e36ed8bfecdd0ed87163

SHA256
f82cc94e1b6068b9630638b1594e098c6fcba7a91ab693c7214d1cccd52b6efc

SHA512
990362086b6d5dbca4ef761038e28d31b866f3acf37c6f4ce3e6182280432ba3a1956c35b2e62146af4800b462fc78eb192207f4d4bc3c891d54339d749d9574

Download Submit
memory/2832-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2832-1-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2832-7-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/2832-8-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download