62e3075391e3ac9ad67c04ad974f73284631d1c78ffce4e837e9bd1ac39f2fdd

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 20:44

Target

978fcf26fc41db7d8c04aaabba060609.exe
Size

34KB
MD5

978fcf26fc41db7d8c04aaabba060609
SHA1

85b33df83b652f3cbdc18e3dca2fcbcf664da862
SHA256

62e3075391e3ac9ad67c04ad974f73284631d1c78ffce4e837e9bd1ac39f2fdd
SHA512

8f7375c468bf0bf868ef5873bab46e855f9a220b3e64d0ea040c74470543818fc458db475449c0e4ffed404f907a5e522e88e8185eb4589b6fe9b49d735ad1f4
SSDEEP

768:+0tBW+COw9sa1t4m/ktmVEWk6b5G2pAeQKcFsSFb7aXW+DLrNW79LIhOk:+4W+COw9N/ktL6b5G2irKcFZXam+DHQ2

Score

7^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
4080	framework.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/4088-0-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x000400000001e3d9-2.dat	upx
behavioral2/memory/4080-3-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4088-7-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/4080-8-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\framework.exe	978fcf26fc41db7d8c04aaabba060609.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 2852	4088	978fcf26fc41db7d8c04aaabba060609.exe	89
PID 4088 wrote to memory of 2852	4088	978fcf26fc41db7d8c04aaabba060609.exe	89
PID 4088 wrote to memory of 2852	4088	978fcf26fc41db7d8c04aaabba060609.exe	89

C:\Users\Admin\AppData\Local\Temp\978fcf26fc41db7d8c04aaabba060609.exe
"C:\Users\Admin\AppData\Local\Temp\978fcf26fc41db7d8c04aaabba060609.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\978fcf26fc41db7d8c04aaabba060609.exe"
  2⤵
  PID:2852

\??\c:\windows\SysWOW64\framework.exe
c:\windows\SysWOW64\framework.exe
1⤵
- Executes dropped EXE
PID:4080

C:\Windows\SysWOW64\framework.exe

Filesize
21KB

MD5
e0de3530a5483fde1bc87c4c8ff3b584

SHA1
81e782833487c0ea3f8f209060f6b21daa18d29b

SHA256
fe7cffbd1fd38aedc957b109af46a3f4a699c2c38ebaeaf97dbf634a04ef6a20

SHA512
d668c5cd9e9e6448418cb30a9dc1ca730cf9297d62de1292f04df36a7dd5b5956e361cf64922ed52310b610ca15ad4485908886203f068c2452856cbd805a051

Download Submit
memory/4080-3-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4080-8-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4088-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4088-7-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download