c6be6799b833b319329560142cea34baae5691543f1c2a01a91982e6515a1a8f

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 02:19

Target

c6be6799b833b319329560142cea34baae5691543f1c2a01a91982e6515a1a8f.dll
Size

3.7MB
MD5

2dd39ae069e07bb15df5c75342f29b5f
SHA1

4d7c6fc39978d0e3c929841e8480aa9c93ea5995
SHA256

c6be6799b833b319329560142cea34baae5691543f1c2a01a91982e6515a1a8f
SHA512

ebba2070eae04671f6712617942565fbedd6812f15bfe1bbaa4b3d4305891aa5942c77e7313e6abeacc088804f5b76f9833f4a9a34f7af28fb2ac179ec7d476a
SSDEEP

49152:6LozW+UTKv3T4lizLdg8WCwz95NdJ8vuafMk7BorFLLKkRXqrLFp6oe3s9RSdtls:6LH+3ZzLdg9Km8B2t/XwFsdtlgIy

Score

7^/10

upx

Executes dropped EXE 1 IoCs

Processes:

YShow3D.exe

pid process

2020 YShow3D.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2900 rundll32.exe

pid	process
2020	YShow3D.exe

pid	process
2900	rundll32.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral1/memory/2900-1-0x0000000010000000-0x00000000103C5000-memory.dmp	upx
behavioral1/memory/2900-2-0x0000000010000000-0x00000000103C5000-memory.dmp	upx
behavioral1/memory/2900-0-0x0000000010000000-0x00000000103C5000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

rundll32.exe

pid process

2900 rundll32.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

YShow3D.exe

pid process

2020 YShow3D.exe

pid	process
2900	rundll32.exe

pid	process
2020	YShow3D.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2036 wrote to memory of 2900	2036	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 2900	2036	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 2900	2036	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 2900	2036	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 2900	2036	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 2900	2036	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 2900	2036	rundll32.exe	rundll32.exe
PID 2900 wrote to memory of 2020	2900	rundll32.exe	YShow3D.exe
PID 2900 wrote to memory of 2020	2900	rundll32.exe	YShow3D.exe
PID 2900 wrote to memory of 2020	2900	rundll32.exe	YShow3D.exe
PID 2900 wrote to memory of 2020	2900	rundll32.exe	YShow3D.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c6be6799b833b319329560142cea34baae5691543f1c2a01a91982e6515a1a8f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c6be6799b833b319329560142cea34baae5691543f1c2a01a91982e6515a1a8f.dll,#1
  2⤵
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Users\Admin\AppData\Local\Temp\YShow3D.exe
    C:\Users\Admin\AppData\Local\Temp\\YShow3D.exe /i ÕÒ²»µ½Ö¸¶¨µÄ¼ÓÃÜËø£¡ /t ÌáÊ¾ /k 16
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2020

C:\Users\Admin\AppData\Local\Temp\YShow3D.exe

Filesize
326KB

MD5
08c643c256d31bf018d9b099482ea1a7

SHA1
8235a6d3e6ceaf7f4237c2b81a871fa936d64984

SHA256
3eb030744468aad8e778b22d62c6610f84f6c6371219e1469afed4e3f1427781

SHA512
a46e5d258e145b26006dd175a41dfa9e39db92fe604683c180a1089047d9d8ef229f1761e07b66a22382f4fdf8c5e0e1e081b867228c0a63eb9f7627329d2085

Download Submit
memory/2900-1-0x0000000010000000-0x00000000103C5000-memory.dmp

Filesize
3.8MB

Download
memory/2900-2-0x0000000010000000-0x00000000103C5000-memory.dmp

Filesize
3.8MB

Download
memory/2900-0-0x0000000010000000-0x00000000103C5000-memory.dmp

Filesize
3.8MB

Download
memory/2900-10-0x000000001031F000-0x0000000010320000-memory.dmp

Filesize
4KB

Download
memory/2900-9-0x0000000002180000-0x00000000022AB000-memory.dmp

Filesize
1.2MB

Download