6c1fa227e05ee7152152ae18402e0f84aa9efab3a16d11f75dade1e1d820538c

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 18:58

Target

99e45e0f978f6ab56efce6b1d717d732.exe
Size

16KB
MD5

99e45e0f978f6ab56efce6b1d717d732
SHA1

4b78307118f2e06bc955705bd2abd976b6b56ba1
SHA256

6c1fa227e05ee7152152ae18402e0f84aa9efab3a16d11f75dade1e1d820538c
SHA512

cb271eed70c71074b13aa04e076ee69b130ad4091bc79519b0293dbc33dce5b519bfada91b5f0a28562b189d97307e85a923d5c10e4bfac53dfb5340168209b0
SSDEEP

192:HEkXP7PmpW4EWjm2Xv3rZn8pdwxXIlOP9kzDf7XF0+MXE2bOV6uUBKTfQrwlXHAE:H5TmSwxXgOPKzDzXFgE2jSjQcAp1DWT

Score

7^/10

upx

Deletes itself 1 IoCs

pid	Process
2700	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1680	99e45e0f978f6ab56efce6b1d717d732.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1680-0-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1680-9-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fxnfnh.cfg	99e45e0f978f6ab56efce6b1d717d732.exe
File opened for modification	C:\Windows\SysWOW64\fxnfnh.dll	99e45e0f978f6ab56efce6b1d717d732.exe
File created	C:\Windows\SysWOW64\fxnfnh.dll	99e45e0f978f6ab56efce6b1d717d732.exe
File created	C:\Windows\SysWOW64\sefawe.dll	99e45e0f978f6ab56efce6b1d717d732.exe
File opened for modification	C:\Windows\SysWOW64\sefawe.dll	99e45e0f978f6ab56efce6b1d717d732.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1680	99e45e0f978f6ab56efce6b1d717d732.exe
Token: SeDebugPrivilege	1680	99e45e0f978f6ab56efce6b1d717d732.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 1204	1680	99e45e0f978f6ab56efce6b1d717d732.exe	18
PID 1680 wrote to memory of 1204	1680	99e45e0f978f6ab56efce6b1d717d732.exe	18
PID 1680 wrote to memory of 2700	1680	99e45e0f978f6ab56efce6b1d717d732.exe	28
PID 1680 wrote to memory of 2700	1680	99e45e0f978f6ab56efce6b1d717d732.exe	28
PID 1680 wrote to memory of 2700	1680	99e45e0f978f6ab56efce6b1d717d732.exe	28
PID 1680 wrote to memory of 2700	1680	99e45e0f978f6ab56efce6b1d717d732.exe	28

\Windows\SysWOW64\fxnfnh.dll

Filesize
27KB

MD5
8cf1383f88bde2ec1cc2270865926398

SHA1
080b11fb4767c825a6cdbb0b3795d73b53535c3d

SHA256
068097df43331c188e680ee467d7c4546506f024f78e94136db9c2b9a9af7476

SHA512
ec84f28cab423c89c0cc6f22d0396b904b27fecdcf24ad52d5c0c4e6c3a261ae2a5d4fe392d82d51be39668f5721c5034bc6d70a2af8d519f61c6cb86d5e4761

Download Submit
memory/1204-7-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/1680-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1680-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download