b2a66675404dd3c5908ebb0cc4545859b64f4214ddd4e283b036027b1f785689

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 19:51

Target

65e3883dca9d9acf682736b42e47c7c7.exe
Size

298KB
MD5

65e3883dca9d9acf682736b42e47c7c7
SHA1

a29d050b37eb2b804357b7211128cc88da85cb64
SHA256

b2a66675404dd3c5908ebb0cc4545859b64f4214ddd4e283b036027b1f785689
SHA512

bf3807acdb68281959ea7510e662aaf57be432b2a13c39ace9c56e3b79b12c3ce6c62b2922184c21ca57eeeef382135ee7314f39f7aaa318fac139a75beba885
SSDEEP

6144:pnsJR4+J9B1sw/tUGpmESpr8wT4K4eszgxVQQmVwBEQoS:12Rlv1s6tRhvwTPjssPAwBoS

Score

7^/10

upx

Deletes itself 1 IoCs

pid	Process
2304	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2752	winesp.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2024-0-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral1/files/0x000c0000000122bb-3.dat	upx
behavioral1/memory/2752-4-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral1/memory/2752-7-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral1/memory/2024-15-0x0000000000400000-0x0000000000496000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ieapfltr.dat	65e3883dca9d9acf682736b42e47c7c7.exe
File opened for modification	C:\Windows\SysWOW64\winesp.exe	winesp.exe
File created	C:\Windows\SysWOW64\winesp.exe	65e3883dca9d9acf682736b42e47c7c7.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2304	2024	65e3883dca9d9acf682736b42e47c7c7.exe	29
PID 2024 wrote to memory of 2304	2024	65e3883dca9d9acf682736b42e47c7c7.exe	29
PID 2024 wrote to memory of 2304	2024	65e3883dca9d9acf682736b42e47c7c7.exe	29
PID 2024 wrote to memory of 2304	2024	65e3883dca9d9acf682736b42e47c7c7.exe	29

C:\Users\Admin\AppData\Local\Temp\65e3883dca9d9acf682736b42e47c7c7.exe
"C:\Users\Admin\AppData\Local\Temp\65e3883dca9d9acf682736b42e47c7c7.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\868440.bat
  2⤵
  - Deletes itself
  PID:2304

C:\Users\Admin\AppData\Local\Temp\868440.bat

Filesize
190B

MD5
f65d2a68c58d6c5667dc320f0200bbb0

SHA1
a77895afce3d266cb3318a5611cb02452c62efab

SHA256
8cd0eb8c555b6d5e2fa50b2da3bfee979386e9d5842003036b33fe7b90ecc01b

SHA512
bd493b9fd9ba73512c11a1fc78c7c476534691f340b49f4ed13555222645f08ab77e26955fb59c64e2d21b8a22e281f933d0ad2c514e68f129ef47f57190e32b

Download Submit
C:\Windows\SysWOW64\winesp.exe

Filesize
298KB

MD5
65e3883dca9d9acf682736b42e47c7c7

SHA1
a29d050b37eb2b804357b7211128cc88da85cb64

SHA256
b2a66675404dd3c5908ebb0cc4545859b64f4214ddd4e283b036027b1f785689

SHA512
bf3807acdb68281959ea7510e662aaf57be432b2a13c39ace9c56e3b79b12c3ce6c62b2922184c21ca57eeeef382135ee7314f39f7aaa318fac139a75beba885

Download Submit
memory/2024-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2024-1-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2024-15-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2752-4-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2752-5-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2752-7-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download