b93cd3da0eb6bb0147a63ab5d82ec568606535f687ea2f992276eb8a57fe1a19

Analysis

max time kernel
141s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-04-2024 02:16

Target

b93cd3da0eb6bb0147a63ab5d82ec568606535f687ea2f992276eb8a57fe1a19.exe
Size

404KB
MD5

d869aa5a6a0e1f09630d25135a8a1cba
SHA1

3f5d9764ef92f129833039cb0abf81ab6ee6ac71
SHA256

b93cd3da0eb6bb0147a63ab5d82ec568606535f687ea2f992276eb8a57fe1a19
SHA512

d07aae9af85f8524ab02cce7a8c75ca3c26c825b20748d872ac39a5f365cf97e1c232acbbda957080319d9b6be0494ee94e4e313d1550abc41b28c85625599eb
SSDEEP

768:WtrYLOAb8u1n/DqPzR8lSvXpvQTf2z5JXhAiycIdnaBYwrYiaf0Is:qcLOs8In/mpfgI5JXpycIdnawiac1

Score

7^/10

upx

Deletes itself 1 IoCs

pid	Process
2488	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2300	fwehost.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1500-0-0x0000000010000000-0x000000001000E000-memory.dmp	upx
behavioral1/memory/1500-5-0x0000000010000000-0x000000001000E000-memory.dmp	upx
behavioral1/memory/2300-11-0x0000000010000000-0x000000001000E000-memory.dmp	upx
behavioral1/memory/2300-15-0x0000000010000000-0x000000001000E000-memory.dmp	upx
behavioral1/memory/2300-16-0x0000000010000000-0x000000001000E000-memory.dmp	upx
behavioral1/memory/2300-17-0x0000000010000000-0x000000001000E000-memory.dmp	upx
behavioral1/memory/2300-19-0x0000000010000000-0x000000001000E000-memory.dmp	upx
behavioral1/memory/2300-21-0x0000000010000000-0x000000001000E000-memory.dmp	upx
behavioral1/memory/2300-23-0x0000000010000000-0x000000001000E000-memory.dmp	upx
behavioral1/memory/2300-25-0x0000000010000000-0x000000001000E000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\AppPatch\IME\fwehost.exe	b93cd3da0eb6bb0147a63ab5d82ec568606535f687ea2f992276eb8a57fe1a19.exe
File opened for modification	C:\Windows\AppPatch\IME\fwehost.exe	b93cd3da0eb6bb0147a63ab5d82ec568606535f687ea2f992276eb8a57fe1a19.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1500	b93cd3da0eb6bb0147a63ab5d82ec568606535f687ea2f992276eb8a57fe1a19.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 2488	1500	b93cd3da0eb6bb0147a63ab5d82ec568606535f687ea2f992276eb8a57fe1a19.exe	29
PID 1500 wrote to memory of 2488	1500	b93cd3da0eb6bb0147a63ab5d82ec568606535f687ea2f992276eb8a57fe1a19.exe	29
PID 1500 wrote to memory of 2488	1500	b93cd3da0eb6bb0147a63ab5d82ec568606535f687ea2f992276eb8a57fe1a19.exe	29
PID 1500 wrote to memory of 2488	1500	b93cd3da0eb6bb0147a63ab5d82ec568606535f687ea2f992276eb8a57fe1a19.exe	29

C:\Users\Admin\AppData\Local\Temp\b93cd3da0eb6bb0147a63ab5d82ec568606535f687ea2f992276eb8a57fe1a19.exe
"C:\Users\Admin\AppData\Local\Temp\b93cd3da0eb6bb0147a63ab5d82ec568606535f687ea2f992276eb8a57fe1a19.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B93CD3~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2488

C:\Windows\AppPatch\IME\fwehost.exe
C:\Windows\AppPatch\IME\fwehost.exe
1⤵
- Executes dropped EXE
PID:2300

C:\Windows\AppPatch\IME\fwehost.exe

Filesize
409KB

MD5
01950b1702ff73449622d8a2ffaeb8ed

SHA1
ff8794370500102495b9c008d0ac0f8b2339ff68

SHA256
3b911b67687844dbd6c6fc4026a83e54ab102bac123b05de8c2957890633ed4e

SHA512
b1ee0b473ebef87d84fa589482cc562e52ab48319ac5eb33dd95fcd30a6e144287648883d231fbe63f162b56941e43954f1e5663684fee84ce6fadb2b5b5e07d

Download Submit
memory/1500-0-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/1500-5-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/2300-11-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/2300-15-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/2300-16-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/2300-17-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/2300-19-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/2300-21-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/2300-23-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/2300-25-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download