ec515ef0508ec52086101329ffcb1268b348aba0293330c7a7e7846577a23554

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 03:10

Target

763a8d0bb00a317ce19e1f93123daf0b.exe
Size

19KB
MD5

763a8d0bb00a317ce19e1f93123daf0b
SHA1

f9a9a464057f2d1fa6bc5764126db961cefd6f76
SHA256

ec515ef0508ec52086101329ffcb1268b348aba0293330c7a7e7846577a23554
SHA512

e3ef3022097b80267bb200de8bd06ba5a4d21bd1cce3d395ee06b72d05302c75fb3cf6e86919aae2825b2cef957b3eb2dc1a42e17e964365e792f7d2b3df492f
SSDEEP

384:6k6YW/rn2E0ava11qpctH9z36Gp7LlvS3aUJPK04rWqu:69YW/ahava1suxtx75q3a+PK0r

Score

7^/10

upx

Deletes itself 1 IoCs

pid	Process
2420	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2412	servet.exe

Loads dropped DLL 2 IoCs

pid	Process
2180	763a8d0bb00a317ce19e1f93123daf0b.exe
2180	763a8d0bb00a317ce19e1f93123daf0b.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2180-0-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/files/0x00070000000122c4-3.dat	upx
behavioral1/memory/2180-4-0x0000000000380000-0x0000000000392000-memory.dmp	upx
behavioral1/memory/2412-12-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2412-15-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2180-22-0x0000000000400000-0x0000000000412000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\servet.exe	763a8d0bb00a317ce19e1f93123daf0b.exe
File opened for modification	C:\Windows\SysWOW64\servet.exe	763a8d0bb00a317ce19e1f93123daf0b.exe
File opened for modification	C:\Windows\SysWOW64\servet.exe	servet.exe
File created	C:\Windows\SysWOW64\Deleteme.bat	763a8d0bb00a317ce19e1f93123daf0b.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2412	2180	763a8d0bb00a317ce19e1f93123daf0b.exe	28
PID 2180 wrote to memory of 2412	2180	763a8d0bb00a317ce19e1f93123daf0b.exe	28
PID 2180 wrote to memory of 2412	2180	763a8d0bb00a317ce19e1f93123daf0b.exe	28
PID 2180 wrote to memory of 2412	2180	763a8d0bb00a317ce19e1f93123daf0b.exe	28
PID 2180 wrote to memory of 2420	2180	763a8d0bb00a317ce19e1f93123daf0b.exe	29
PID 2180 wrote to memory of 2420	2180	763a8d0bb00a317ce19e1f93123daf0b.exe	29
PID 2180 wrote to memory of 2420	2180	763a8d0bb00a317ce19e1f93123daf0b.exe	29
PID 2180 wrote to memory of 2420	2180	763a8d0bb00a317ce19e1f93123daf0b.exe	29

C:\Users\Admin\AppData\Local\Temp\763a8d0bb00a317ce19e1f93123daf0b.exe
"C:\Users\Admin\AppData\Local\Temp\763a8d0bb00a317ce19e1f93123daf0b.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\servet.exe
  C:\Windows\system32\servet.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deleteme.bat
  2⤵
  - Deletes itself
  PID:2420

C:\Windows\SysWOW64\Deleteme.bat

Filesize
184B

MD5
2d970c3ff802424e5d33831a9183f7a9

SHA1
82e51520f418e14e7d63de1295d1b4c344cb4d01

SHA256
912e91ed024f6779dca7f8e88bd895c1c6b92fdb3bf980ae584f969d71778595

SHA512
dd921072374eed6a008b1a12a7b7af08571f0c77da0909c44a69399e2489f0cf5ebdd8225b2e46ec1d2f7053e186962a2c88b3547cb89098d9e5cc6475dad60b

Download Submit
\Windows\SysWOW64\servet.exe

Filesize
19KB

MD5
763a8d0bb00a317ce19e1f93123daf0b

SHA1
f9a9a464057f2d1fa6bc5764126db961cefd6f76

SHA256
ec515ef0508ec52086101329ffcb1268b348aba0293330c7a7e7846577a23554

SHA512
e3ef3022097b80267bb200de8bd06ba5a4d21bd1cce3d395ee06b72d05302c75fb3cf6e86919aae2825b2cef957b3eb2dc1a42e17e964365e792f7d2b3df492f

Download Submit
memory/2180-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2180-4-0x0000000000380000-0x0000000000392000-memory.dmp

Filesize
72KB

Download
memory/2180-11-0x0000000000380000-0x0000000000392000-memory.dmp

Filesize
72KB

Download
memory/2180-22-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2412-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2412-15-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download