34a16978931e47e4f89d3815a48c732473778e75a06aa1cae7f8e5dddea6e93a

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 14:27

Target

39cfc469508d5965215416846991499a.exe
Size

395KB
MD5

39cfc469508d5965215416846991499a
SHA1

4cc5af5cd531d2f05d1512f95140e4f98da9ac77
SHA256

34a16978931e47e4f89d3815a48c732473778e75a06aa1cae7f8e5dddea6e93a
SHA512

6c81302d2764a9bdcb9d35f1d64835f09b40dc7d2606aebfb7cd505754b4bfeed90fdda85f29ca5e6b014815fc517305777dca3ce5837bb068ed5f2aeb2bb7f8
SSDEEP

6144:/MWl87c3NnVA6DUXV6S/kL4QzVSzvY8TKWxbVKcArEuer7:f35vUXV0c6WQkK5Xver7

Score

8^/10

upx

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\suchost.exe	39cfc469508d5965215416846991499a.exe
File created	C:\Windows\SysWOW64\drivers\suchost.exe	39cfc469508d5965215416846991499a.exe

Deletes itself 1 IoCs

pid	Process
2384	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
940	suchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1884	39cfc469508d5965215416846991499a.exe
1884	39cfc469508d5965215416846991499a.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1884-21-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral1/memory/940-20-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral1/memory/1884-0-0x0000000000400000-0x000000000044A000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 5 IoCs

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 2384	1884	39cfc469508d5965215416846991499a.exe	16
PID 1884 wrote to memory of 2384	1884	39cfc469508d5965215416846991499a.exe	16
PID 1884 wrote to memory of 2384	1884	39cfc469508d5965215416846991499a.exe	16
PID 1884 wrote to memory of 2384	1884	39cfc469508d5965215416846991499a.exe	16
PID 1884 wrote to memory of 940	1884	39cfc469508d5965215416846991499a.exe	15
PID 1884 wrote to memory of 940	1884	39cfc469508d5965215416846991499a.exe	15
PID 1884 wrote to memory of 940	1884	39cfc469508d5965215416846991499a.exe	15
PID 1884 wrote to memory of 940	1884	39cfc469508d5965215416846991499a.exe	15

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\8$$.bat
1⤵
- Deletes itself
PID:2384

memory/940-20-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1884-18-0x00000000005E0000-0x000000000062A000-memory.dmp

Filesize
296KB

Download
memory/1884-21-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1884-0-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download