7fab547ccdea06a6a4b043e55ec850fb733748c84b3c06e42396efa216c14d9a

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08/01/2024, 23:19

Target

4cb700e45cc636ee830aeb8ee6cf850c.exe
Size

14.7MB
MD5

4cb700e45cc636ee830aeb8ee6cf850c
SHA1

b67aa9982f7c9cf89937e62f49f200e5b00d055b
SHA256

7fab547ccdea06a6a4b043e55ec850fb733748c84b3c06e42396efa216c14d9a
SHA512

c0012a051a8406dab26d9ceeba690a33162d3ba21025627eef5cef63c9b1b4fe4306b801a24b0bb8e4d1f175ab258ff1ce62900c4fdca709854c266795c408c7
SSDEEP

196608:neaIOwLaIOwo3LaIO1LLLaIO/LaIOwQaIOi:ne9OwL9Owo3L9O1LLL9O/L9OwQ9Oi

Score

7^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
324	qruy.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/3888-0-0x0000000000400000-0x000000000054E000-memory.dmp	upx
behavioral2/files/0x0007000000023210-3.dat	upx
behavioral2/files/0x0007000000023210-4.dat	upx
behavioral2/memory/3888-6-0x0000000000400000-0x000000000054E000-memory.dmp	upx
behavioral2/memory/324-5-0x0000000000400000-0x000000000054E000-memory.dmp	upx
behavioral2/memory/324-8-0x0000000000400000-0x000000000054E000-memory.dmp	upx

Suspicious use of FindShellTrayWindow 4 IoCs

Suspicious use of SendNotifyMessage 4 IoCs

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
324	qruy.exe
324	qruy.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 324	3888	4cb700e45cc636ee830aeb8ee6cf850c.exe	90
PID 3888 wrote to memory of 324	3888	4cb700e45cc636ee830aeb8ee6cf850c.exe	90
PID 3888 wrote to memory of 324	3888	4cb700e45cc636ee830aeb8ee6cf850c.exe	90

C:\Users\Admin\AppData\Local\Temp\4cb700e45cc636ee830aeb8ee6cf850c.exe
"C:\Users\Admin\AppData\Local\Temp\4cb700e45cc636ee830aeb8ee6cf850c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Users\Admin\AppData\Local\Temp\qruy.exe
  C:\Users\Admin\AppData\Local\Temp\qruy.exe -run C:\Users\Admin\AppData\Local\Temp\4cb700e45cc636ee830aeb8ee6cf850c.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:324

C:\Users\Admin\AppData\Local\Temp\qruy.exe

Filesize
9KB

MD5
74b8ec843a56bfa163f987c6b289b8d0

SHA1
d083c9e86e3bf6b72baa53ff8fa6b93be657d516

SHA256
8789854e512af431bbeacc1c549ca5cf07a7c010622817620f8636c874683112

SHA512
fdbaad22d1af22e28da97490838ef6dd1f4805c0d25e1e4a8a017da76d4fdbd21a0667a5ccdb408798a2d458575311346783efb0128a24c5c3e5d990e074f82c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qruy.exe

Filesize
1.1MB

MD5
44b98bdc77fae864a0dd8a9dceebfd4d

SHA1
0a024969ef32e59a473288b2314b85aec1745e83

SHA256
fb2d2ef682e6789c6f1789ae289fb529f046256eb13a0142c93aabf225bae8cb

SHA512
eeaa826a397e509da1479292319a5a36270c33e274b50bfb360772724dc3c978ad5e04afead234736ab92de81d3b3ea8b5767bf3b6e3d9802079ecbe790a34ed

Download Submit
memory/324-5-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/324-7-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/324-8-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/324-9-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/3888-0-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/3888-6-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download