8dc17ead538765e5249bd8f0c6f89f18781049aae7e0011b6632ca66df24e94b

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 16:00

Target

$R3NK09Y.exe
Size

16.4MB
MD5

c9cde10ef15429feeb2177a12b8ecd9b
SHA1

a77ab463eef7ff052fef80452d66bba49ee1ef1c
SHA256

e7e356483dbdb34e2b69f22cd6e10d6b31bcd43c24f5724010e683656e16933d
SHA512

d9c99be64909b61f15a2af370d58d1e5f727dec58aa6c694efce842d1575e0877d22cab93619572899a6be2aada5578c820896d98dff1c5ec67c7ce8f436a17e
SSDEEP

196608:FgL9HLAlndpb7KX/Rdarz60/460ii8kB6yTNJm3AqM+KCKW4nZQobtxoYByzKX93:cxAlndYX5UrzR8BRT/m3pqCgzNNxu87

Score

7^/10

upx

Loads dropped DLL 1 IoCs

pid	Process
2484	$R3NK09Y.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/files/0x00050000000193ee-102.dat	upx

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 2484	1904	$R3NK09Y.exe	28
PID 1904 wrote to memory of 2484	1904	$R3NK09Y.exe	28
PID 1904 wrote to memory of 2484	1904	$R3NK09Y.exe	28

C:\Users\Admin\AppData\Local\Temp\$R3NK09Y.exe
"C:\Users\Admin\AppData\Local\Temp\$R3NK09Y.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Local\Temp\$R3NK09Y.exe
  "C:\Users\Admin\AppData\Local\Temp\$R3NK09Y.exe"
  2⤵
  - Loads dropped DLL
  PID:2484

C:\Users\Admin\AppData\Local\Temp\_MEI19042\python310.dll

Filesize
1.4MB

MD5
9757d49b0665074358f3ab977e0ff907

SHA1
7d220a33737266ac73cc674c80217810f63238ee

SHA256
6d2a781b8ecacb9044b5617e89f2cbd65bd21791a96d1fc4ece1dabc4fa47024

SHA512
4a94c756f0b9a610ee5e6f6530ccbad180c81ba015d3d23c51486d6d129d654d464cdcd1b7ff6ce68ac6e8578e7121343bbd88e7900bb8fa685fe091e75690ca

Download Submit
memory/2484-104-0x000007FEF5860000-0x000007FEF5CC6000-memory.dmp

Filesize
4.4MB

Download