e792920cc152df874f29810e435af9c71838f690a2e7abc3cbc6ad9ab5473336

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/02/2024, 10:05

Target

screenshot.exe
Size

7.3MB
MD5

2477349610f4f17d966703b563217496
SHA1

1b16d7adb12537952fdffb315021474284aefab0
SHA256

e792920cc152df874f29810e435af9c71838f690a2e7abc3cbc6ad9ab5473336
SHA512

771b9c94acc37ec6841ec725e92d58e52a83822291a21b8e8633999947a46692ce88b8b9d0d9078770f8db15853250a44459bbf3c107e16351a4464cafca66f3
SSDEEP

196608:fVYS6oOshoKMuIkhVastRL5Di3uh1D7JQ:tYS/OshouIkPftRL54YRJQ

Score

7^/10

upx

Loads dropped DLL 1 IoCs

pid	Process
3020	screenshot.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/files/0x0006000000015f9e-21.dat	upx

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 3020	2976	screenshot.exe	28
PID 2976 wrote to memory of 3020	2976	screenshot.exe	28
PID 2976 wrote to memory of 3020	2976	screenshot.exe	28

C:\Users\Admin\AppData\Local\Temp\screenshot.exe
"C:\Users\Admin\AppData\Local\Temp\screenshot.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\screenshot.exe
  "C:\Users\Admin\AppData\Local\Temp\screenshot.exe"
  2⤵
  - Loads dropped DLL
  PID:3020

C:\Users\Admin\AppData\Local\Temp\_MEI29762\python311.dll

Filesize
1.6MB

MD5
5f6fd64ec2d7d73ae49c34dd12cedb23

SHA1
c6e0385a868f3153a6e8879527749db52dce4125

SHA256
ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967

SHA512
c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

Download Submit
memory/3020-23-0x000007FEF5FD0000-0x000007FEF65B9000-memory.dmp

Filesize
5.9MB

Download