9eb056d3883eeaf41ffbe35e4d56ea10b6f359d61b4b3abb793f702bb62a50c7

Analysis

max time kernel
120s
max time network
139s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 04:44

Target

28afe7571aa441a58daf162c396bf091.exe
Size

296KB
MD5

28afe7571aa441a58daf162c396bf091
SHA1

f05a9d6ab19eb188294ca07226ea5fb467efb4a1
SHA256

9eb056d3883eeaf41ffbe35e4d56ea10b6f359d61b4b3abb793f702bb62a50c7
SHA512

ed427fdd7db253dc51a01ef910891ca86bece7072318e4afcae5ae69cc5b816b3739acd4f544e14ca93f9fe3e6bb11e4f9a044298697470e0d3e3c601665628e
SSDEEP

6144:JaRAHgr8c4SeLVDNNYYFUElfbISmDSOMPiAt4nInln4gnYlYc1IJoS:JaPs/jXFUQfsSmDSOMPiAHln7joS

Score

7^/10

upx

Deletes itself 1 IoCs

pid	Process
2800	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2184	winesp.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1888-0-0x0000000000400000-0x0000000000497000-memory.dmp	upx
behavioral1/memory/2184-4-0x0000000000400000-0x0000000000497000-memory.dmp	upx
behavioral1/memory/1888-15-0x0000000000400000-0x0000000000497000-memory.dmp	upx
behavioral1/memory/2184-7-0x0000000000400000-0x0000000000497000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\IME\winesp.exe	winesp.exe
File created	C:\Windows\SysWOW64\IME\winesp.exe	28afe7571aa441a58daf162c396bf091.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 2800	1888	28afe7571aa441a58daf162c396bf091.exe	30
PID 1888 wrote to memory of 2800	1888	28afe7571aa441a58daf162c396bf091.exe	30
PID 1888 wrote to memory of 2800	1888	28afe7571aa441a58daf162c396bf091.exe	30
PID 1888 wrote to memory of 2800	1888	28afe7571aa441a58daf162c396bf091.exe	30

C:\Users\Admin\AppData\Local\Temp\28afe7571aa441a58daf162c396bf091.exe
"C:\Users\Admin\AppData\Local\Temp\28afe7571aa441a58daf162c396bf091.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\477203.bat
  2⤵
  - Deletes itself
  PID:2800

memory/1888-0-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1888-1-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1888-15-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2184-4-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2184-5-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2184-7-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download