8f79590641337dbdeb61440051fbd6f02c8d236cb535e48778af6edc25511fed

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
05/03/2024, 15:59

Target

b517be06e094f1695c6d258304440f1d.exe
Size

51KB
MD5

b517be06e094f1695c6d258304440f1d
SHA1

aed448ab7b9f328a0746e4cab81def8623c83922
SHA256

8f79590641337dbdeb61440051fbd6f02c8d236cb535e48778af6edc25511fed
SHA512

10282166bc24995bdbca45a2fe5c0196ef69bbc8b660d816b8d92f935ce46644983060c96d04b4033e0067f0501e23ab3f5482e0b218b0cc0dee52a115d74947
SSDEEP

768:S26icBpFjoIUDqPH/azroiNtyxIGDraDxb702O5zQQBAbEp62q2fmNPpVNGMryX4:hmpFjo2PizmDr16QByoluNP7ZX60D

Score

7^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
1664	uninstall.exe

Loads dropped DLL 1 IoCs

pid	Process
3028	b517be06e094f1695c6d258304440f1d.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/3028-0-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/files/0x000a000000012252-3.dat	upx
behavioral1/memory/3028-7-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1664-9-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1664-11-0x0000000000400000-0x000000000042B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1664	uninstall.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 1664	3028	b517be06e094f1695c6d258304440f1d.exe	28
PID 3028 wrote to memory of 1664	3028	b517be06e094f1695c6d258304440f1d.exe	28
PID 3028 wrote to memory of 1664	3028	b517be06e094f1695c6d258304440f1d.exe	28
PID 3028 wrote to memory of 1664	3028	b517be06e094f1695c6d258304440f1d.exe	28
PID 3028 wrote to memory of 1664	3028	b517be06e094f1695c6d258304440f1d.exe	28
PID 3028 wrote to memory of 1664	3028	b517be06e094f1695c6d258304440f1d.exe	28
PID 3028 wrote to memory of 1664	3028	b517be06e094f1695c6d258304440f1d.exe	28

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

\Users\Admin\AppData\Local\Temp\uninstall.exe

Filesize
51KB

MD5
b517be06e094f1695c6d258304440f1d

SHA1
aed448ab7b9f328a0746e4cab81def8623c83922

SHA256
8f79590641337dbdeb61440051fbd6f02c8d236cb535e48778af6edc25511fed

SHA512
10282166bc24995bdbca45a2fe5c0196ef69bbc8b660d816b8d92f935ce46644983060c96d04b4033e0067f0501e23ab3f5482e0b218b0cc0dee52a115d74947

Download Submit
memory/1664-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1664-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3028-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3028-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3028-8-0x00000000022D0000-0x00000000022FB000-memory.dmp

Filesize
172KB

Download