2417b0e8e7c8315305c8bfcb9ba40a2c04ed3ede89984e78fe7a1ba2cb2f2eaf

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/02/2024, 03:57

Target

85dd4afe633b82ea05601b638e8cdcd6.exe
Size

34KB
MD5

85dd4afe633b82ea05601b638e8cdcd6
SHA1

f9e502ba6e3419a2de4f1799fc9444349a088508
SHA256

2417b0e8e7c8315305c8bfcb9ba40a2c04ed3ede89984e78fe7a1ba2cb2f2eaf
SHA512

dd6a95a5bc9f68f38267f9bb4da804bc3ba75f2c3eeea25c6bfc4ad9283dcc5e86ba673c1ce7f914f7d2c5e67699b372c1ed3261edc16bbdb364a21e81c41c06
SSDEEP

768:h3JWSrLMBZ1Bi24X7pyH0VWNm4qU2gin1oghX0AenbcuyD7U0:pJliAXVtVWNm4qWM5Ednouy8

Score

7^/10

upx

Executes dropped EXE 2 IoCs

pid	Process
2120	conime.exe
1620	svchost.exe

Loads dropped DLL 4 IoCs

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2960-0-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/2960-21-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\IME\svchost.exe	conime.exe
File created	C:\Windows\SysWOW64\IME\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\IME\svchost.exe	conime.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Progra~1\Realtek\SOUNDMAN.EXE	85dd4afe633b82ea05601b638e8cdcd6.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2960	85dd4afe633b82ea05601b638e8cdcd6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2960	85dd4afe633b82ea05601b638e8cdcd6.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2120	2960	85dd4afe633b82ea05601b638e8cdcd6.exe	28
PID 2960 wrote to memory of 2120	2960	85dd4afe633b82ea05601b638e8cdcd6.exe	28
PID 2960 wrote to memory of 2120	2960	85dd4afe633b82ea05601b638e8cdcd6.exe	28
PID 2960 wrote to memory of 2120	2960	85dd4afe633b82ea05601b638e8cdcd6.exe	28
PID 2120 wrote to memory of 1620	2120	conime.exe	29
PID 2120 wrote to memory of 1620	2120	conime.exe	29
PID 2120 wrote to memory of 1620	2120	conime.exe	29
PID 2120 wrote to memory of 1620	2120	conime.exe	29
PID 2120 wrote to memory of 2004	2120	conime.exe	30
PID 2120 wrote to memory of 2004	2120	conime.exe	30
PID 2120 wrote to memory of 2004	2120	conime.exe	30
PID 2120 wrote to memory of 2004	2120	conime.exe	30

C:\Users\Admin\AppData\Local\Temp\rs.bat

Filesize
105B

MD5
c33c3bd528b74ef8e010cd3b5f3950aa

SHA1
c8fafd5f2a514aaf64259565aaae8d0450444be3

SHA256
4a9b066077e5b57aaf2d54e23c023ed6558b89d4955a0f94e5c39257ad7e9df8

SHA512
92e85b2a6ea5d06b9258f37ded20605807fd26ec3b402452e90cde26148f05b609f336e6844b92d0357e84ba462ba9acab7ea1ee3de1693b7955301f458e87c9

Download Submit
\Users\Admin\AppData\Local\Temp\conime.exe

Filesize
16KB

MD5
579f1f288e84dee349360b17a6e2681c

SHA1
0cd9b1cd201f3c481d62b360fce4565e26de033c

SHA256
d749caccffa900211c045166e36d69ed3c8edc47326faa8d2156215f98824105

SHA512
c80571ddb250ad020524bf7be8629912a599abb201da2b95345ecd35260ce99aa13d1585ce0f8ab4e70e821721cd321afd31af3a056145e0cb2187491932827d

Download Submit
memory/2960-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2960-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download