ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-01-2024 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
Size

1.2MB
MD5

62b03c57a5ce3850a5beca5208c0c0ec
SHA1

29e23735d59a412eb30b4770902c95be999d6e16
SHA256

ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35
SHA512

990fb46b6069c7a138066d2e952afcb8a905fde90b27dc7ffbaa7912641a7e77aa691a9f6011f4360b85f3acf7148f5912aaefda10b74f9b621c9703e82a283e
SSDEEP

24576:2+4lO6c7jP9ihzURI0ysLsRX4l8sanecQjuavg6bpjvaAziLsp:2+t7Yzr0BL8Ilx0xQJvg6bpjva

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1688	di.exe

Loads dropped DLL 1 IoCs

pid	Process
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2356-0-0x0000000000400000-0x00000000005D7000-memory.dmp	upx
behavioral1/memory/2356-7-0x0000000000400000-0x00000000005D7000-memory.dmp	upx
behavioral1/files/0x00320000000142b4-29.dat	upx
behavioral1/memory/2356-30-0x0000000003120000-0x0000000003250000-memory.dmp	upx
behavioral1/memory/1688-31-0x0000000000400000-0x0000000000530000-memory.dmp	upx
behavioral1/memory/2356-39-0x0000000000400000-0x00000000005D7000-memory.dmp	upx
behavioral1/memory/1688-40-0x0000000000400000-0x0000000000530000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
1688	di.exe
1688	di.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 1688	2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe	31
PID 2356 wrote to memory of 1688	2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe	31
PID 2356 wrote to memory of 1688	2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe	31
PID 2356 wrote to memory of 1688	2356	ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe	31

C:\Users\Admin\AppData\Local\Temp\ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe
"C:\Users\Admin\AppData\Local\Temp\ee2101243668f9e5d17a0024f26f857c5d57d738a6486c9cc0268013073cff35.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Public\Pictures\di\di.exe
  C:\Users\Public\Pictures\di\di.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HJ0GGVIM\8ZNSWSKX.htm

Filesize
397KB

MD5
4ecd25e03bcd51b28dcbbf7ec1106482

SHA1
7a95c3d594271e85836e0dacc658576c1c59912a

SHA256
a61d78d36d2e32200ab9fa94ceca3697b59aa3ca967c19514e5fc34b5f7bf596

SHA512
a9afbfe31eeef4bfe6acf3b51279f53007846701f240693db7632922fb9f58b1a74fe298a825cf3b538043df6d44b39dc0904584716c62ddbc206a9fa5e9549c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\M8YP661F.txt

Filesize
349B

MD5
ab4188f8a03014d60d82c22abeca31d8

SHA1
3f225cb8782e9b40dd2a315cb98d90ea198370f8

SHA256
80ea2f941243ef63e71ecbf1c4c9af8e79befc739b015f81e0b2269d49da86a5

SHA512
03186ef714147fe2d5527a534a9af45e2067149b1266186f1d6b841d9eea31b37b39046cac8757a9b0e922a4b9c627b23b0a28b15521b2e4f26c473961af0139

Download Submit
C:\Users\Public\Pictures\di\di.exe

Filesize
520KB

MD5
a217565e8a0ef5276f1decb36fa94a4a

SHA1
ce74a08c65263f36ed3da834a95809bf4a7ca598

SHA256
e65c0c3c3b725a2f0520c91a1550542cbfad9962f7dd4cb0d0ebdd54f32f3fb9

SHA512
1f889ba4cfecbb740c5e46b30c3570e5e93257b3ff1d47b9e0ca91235198491d49da555977510c76eca152ec735e986d58045c102c7d8f4678c20693a392573d

Download Submit
memory/1688-31-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/1688-40-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/2356-0-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2356-7-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2356-30-0x0000000003120000-0x0000000003250000-memory.dmp

Filesize
1.2MB

Download
memory/2356-39-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2356-44-0x0000000003120000-0x0000000003250000-memory.dmp

Filesize
1.2MB

Download