53d8cfe1f7ea99fff9531f5b608fc2b57ab24837b348ca6aa4b75ad945999291

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-01-2024 03:22

Target

梦幻法宝/update.exe
Size

19KB
MD5

8a4de8b7c5cae90b549ff55049b5dc3e
SHA1

47b3af89bc5e295db9a6c6675d1f1345641c07cb
SHA256

b77e236af4a64e53fa0a93f8a8cbc312b183c404db9cfdb54b391785fde120a0
SHA512

9d2dfd354dfd32ab81553c2474197b86d62f9b79fab227dd3c10d118cb4de25a4e02ee7f4227e22d25093dd3cd7b3efd668895e60e3ba88f04f125732a21ea62
SSDEEP

384:kH8zWyAiMop2MBFwUFHdR+DnfNA8NvLTfRulzDc:uEWvosMBFwUF9R+Dn7x3gDc

Score

7^/10

upx

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral5/memory/2032-0-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral5/memory/2032-7-0x0000000000400000-0x0000000000412000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\imm32.dll	rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2264	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2264	2032	update.exe	28
PID 2032 wrote to memory of 2264	2032	update.exe	28
PID 2032 wrote to memory of 2264	2032	update.exe	28
PID 2032 wrote to memory of 2264	2032	update.exe	28
PID 2032 wrote to memory of 2264	2032	update.exe	28
PID 2032 wrote to memory of 2264	2032	update.exe	28
PID 2032 wrote to memory of 2264	2032	update.exe	28

C:\Users\Admin\AppData\Local\Temp\梦幻法宝\update.exe
"C:\Users\Admin\AppData\Local\Temp\梦幻法宝\update.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe F:\RECYCLER\KB970584.DLL,Init C:\Users\Admin\AppData\Local\Temp\????\update.exe|2032
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2264

F:\RECYCLER\KB970584.DLL

Filesize
40KB

MD5
6dee6a538cb0ad7af99d48a85de0f321

SHA1
fca34a4b25ce88c5b9a1c6a51b12f7b86a3c2085

SHA256
72cb7038782bb4196e2d4a601ec66e156243783481596f8edeb38ef2e63c0a5f

SHA512
78cd457c2da9fc6bc825095c0b720c9b8a5a62f8a62d806c4bda4870c3188f826106136d79c66be6cbc58c16a0b9082fc1c5afd1621570c2ffe0fe1869262f37

Download Submit
memory/2032-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2032-2-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2032-1-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2032-3-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2032-7-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download