45f04179db6c20b4e087e0d67b17db69a87a2f0bde76b0dec8a0ce8be7e09953

Analysis

max time kernel
135s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2024 04:43

Target

766a89d221f72c04300c9016acf348f5.exe
Size

17KB
MD5

766a89d221f72c04300c9016acf348f5
SHA1

18721614dd060dba8b100bdede6426cb672d313d
SHA256

45f04179db6c20b4e087e0d67b17db69a87a2f0bde76b0dec8a0ce8be7e09953
SHA512

0f240f52cff459e675e27fcaae82246c8328a8dbc13ddc9d13301373cb12777b50fabb97465caf9d212e24fcee9c902c4021df054b78f2327f4fcca35f1ef624
SSDEEP

384:UFeXKQtK1ZnV6fiDQqBuTe1IOMaNJawcudoD7Uu7:IAKQE1ZnMfmQqBGkIOFnbcuyD7U

Score

8^/10

upx

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1028	766a89d221f72c04300c9016acf348f5.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/1028-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1028-17-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 392	1028	766a89d221f72c04300c9016acf348f5.exe	87
PID 1028 wrote to memory of 392	1028	766a89d221f72c04300c9016acf348f5.exe	87
PID 1028 wrote to memory of 392	1028	766a89d221f72c04300c9016acf348f5.exe	87

C:\Users\Admin\AppData\Local\Temp\766a89d221f72c04300c9016acf348f5.exe
"C:\Users\Admin\AppData\Local\Temp\766a89d221f72c04300c9016acf348f5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5851.tmp\do.bat""
  2⤵
  - Drops file in Drivers directory
  PID:392

C:\Users\Admin\AppData\Local\Temp\5851.tmp\b2e.dll

Filesize
31KB

MD5
7b860f28be19d4aef761fb991134a556

SHA1
0658a7456d0234dcca598b6ee599fe134d0ecd61

SHA256
57a2586d73188a694944c7da60c78380f82fac46452ed1a31c818ceb93e660bc

SHA512
a0685a25cbc3fff74aa4ad538ade5282242980f07fe1171e01644e0fa98e1ec6adc87b943290983f6fb5070d26fc15d697ae31a1f570e83e504ae1e4508aefa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5851.tmp\do.bat

Filesize
262B

MD5
7a95cdae89570d6df5e7e4ac7a296380

SHA1
892822b14b2b2b6c84766a4f87f98afe683418c9

SHA256
2e2b47583de573c46ce89edb3249bd6c6d5c259821867babedb9d0ee03403e0c

SHA512
6cdb661531ecf38fcf1a41a33978f23cb38fdbb65a9b12a203d58f68d35a1a7e3dc870be9ad70e1c2b9ab3f990dc4f5e2f85f913029e391781e107477fff0a78

Download Submit
memory/1028-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1028-17-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download