45338519f661570a3bd47129caca9fe2d1b63a838dab1861851bd3d857f76bf7

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16/03/2024, 05:16

Target

cd33850100791bce8162117aaa08aadb.exe
Size

27KB
MD5

cd33850100791bce8162117aaa08aadb
SHA1

daed613f507c550ad230fb2b65b805af0ccdc78a
SHA256

45338519f661570a3bd47129caca9fe2d1b63a838dab1861851bd3d857f76bf7
SHA512

b2cc45765991ba26e2e6a838d2feb6147361fa6e1d2226dbcd7d697b22e85078a428e9deeedb4617e79059bc8769819804c91390d12e62bbae7175632fc3925a
SSDEEP

768:dn0JKboMSh4Z5mvnNfTsgAH9iaOX/0IOAebjB8na:IEoMShlQgUOs1jBh

Score

7^/10

upx

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/1844-0-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/memory/3084-4-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/memory/1844-5-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/memory/3084-6-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/memory/3084-8-0x0000000000400000-0x0000000000415000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe:exe.exe	cd33850100791bce8162117aaa08aadb.exe
File created	C:\Windows\SysWOW64\icf.exe	cd33850100791bce8162117aaa08aadb.exe
File opened for modification	C:\Windows\SysWOW64\icf.exe	cd33850100791bce8162117aaa08aadb.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1844 set thread context of 3084	1844	cd33850100791bce8162117aaa08aadb.exe	87

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 3084	1844	cd33850100791bce8162117aaa08aadb.exe	87
PID 1844 wrote to memory of 3084	1844	cd33850100791bce8162117aaa08aadb.exe	87
PID 1844 wrote to memory of 3084	1844	cd33850100791bce8162117aaa08aadb.exe	87
PID 1844 wrote to memory of 3084	1844	cd33850100791bce8162117aaa08aadb.exe	87
PID 1844 wrote to memory of 64	1844	cd33850100791bce8162117aaa08aadb.exe	88
PID 1844 wrote to memory of 64	1844	cd33850100791bce8162117aaa08aadb.exe	88
PID 1844 wrote to memory of 64	1844	cd33850100791bce8162117aaa08aadb.exe	88

C:\Users\Admin\AppData\Local\Temp\cd33850100791bce8162117aaa08aadb.exe
"C:\Users\Admin\AppData\Local\Temp\cd33850100791bce8162117aaa08aadb.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:3084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\10223619.bat
  2⤵
  PID:64

C:\Users\Admin\AppData\Local\Temp\10223619.bat

Filesize
238B

MD5
425ce90869b50f75d6e5d38355552444

SHA1
ccc9feff1fb054362d2da0a5d5e198bf75d4bcea

SHA256
a262bf17ed16df6e1dc0591d7404ccf7c8498a54a7d6a4de4b45b56236582260

SHA512
8fd921f8ab50228805bbf8f846282018cbded551610e171ceb4054627a163c255ed4374d3663a1475a9bb89fe5f32b4452e9e62f94509ca2920a8bf0b2c75ee8

Download Submit
memory/1844-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1844-5-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3084-4-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3084-6-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3084-8-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download