c6be6799b833b319329560142cea34baae5691543f1c2a01a91982e6515a1a8f

Analysis

max time kernel
138s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 02:19

Target

c6be6799b833b319329560142cea34baae5691543f1c2a01a91982e6515a1a8f.dll
Size

3.7MB
MD5

2dd39ae069e07bb15df5c75342f29b5f
SHA1

4d7c6fc39978d0e3c929841e8480aa9c93ea5995
SHA256

c6be6799b833b319329560142cea34baae5691543f1c2a01a91982e6515a1a8f
SHA512

ebba2070eae04671f6712617942565fbedd6812f15bfe1bbaa4b3d4305891aa5942c77e7313e6abeacc088804f5b76f9833f4a9a34f7af28fb2ac179ec7d476a
SSDEEP

49152:6LozW+UTKv3T4lizLdg8WCwz95NdJ8vuafMk7BorFLLKkRXqrLFp6oe3s9RSdtls:6LH+3ZzLdg9Km8B2t/XwFsdtlgIy

Score

7^/10

upx

Executes dropped EXE 1 IoCs

Processes:

YShow3D.exe

pid process

4304 YShow3D.exe

pid	process
4304	YShow3D.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral2/memory/3740-0-0x0000000010000000-0x00000000103C5000-memory.dmp	upx
behavioral2/memory/3740-1-0x0000000010000000-0x00000000103C5000-memory.dmp	upx
behavioral2/memory/3740-3-0x0000000010000000-0x00000000103C5000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

rundll32.exe

pid process

3740 rundll32.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

YShow3D.exe

pid process

4304 YShow3D.exe

pid	process
3740	rundll32.exe

pid	process
4304	YShow3D.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4028 wrote to memory of 3740	4028	rundll32.exe	rundll32.exe
PID 4028 wrote to memory of 3740	4028	rundll32.exe	rundll32.exe
PID 4028 wrote to memory of 3740	4028	rundll32.exe	rundll32.exe
PID 3740 wrote to memory of 4304	3740	rundll32.exe	YShow3D.exe
PID 3740 wrote to memory of 4304	3740	rundll32.exe	YShow3D.exe
PID 3740 wrote to memory of 4304	3740	rundll32.exe	YShow3D.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c6be6799b833b319329560142cea34baae5691543f1c2a01a91982e6515a1a8f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c6be6799b833b319329560142cea34baae5691543f1c2a01a91982e6515a1a8f.dll,#1
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Users\Admin\AppData\Local\Temp\YShow3D.exe
    C:\Users\Admin\AppData\Local\Temp\\YShow3D.exe /i ÕÒ²»µ½Ö¸¶¨µÄ¼ÓÃÜËø£¡ /t ÌáÊ¾ /k 16
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4304

C:\Users\Admin\AppData\Local\Temp\YShow3D.exe

Filesize
326KB

MD5
08c643c256d31bf018d9b099482ea1a7

SHA1
8235a6d3e6ceaf7f4237c2b81a871fa936d64984

SHA256
3eb030744468aad8e778b22d62c6610f84f6c6371219e1469afed4e3f1427781

SHA512
a46e5d258e145b26006dd175a41dfa9e39db92fe604683c180a1089047d9d8ef229f1761e07b66a22382f4fdf8c5e0e1e081b867228c0a63eb9f7627329d2085

Download Submit
memory/3740-0-0x0000000010000000-0x00000000103C5000-memory.dmp

Filesize
3.8MB

Download
memory/3740-2-0x000000001031F000-0x0000000010320000-memory.dmp

Filesize
4KB

Download
memory/3740-1-0x0000000010000000-0x00000000103C5000-memory.dmp

Filesize
3.8MB

Download
memory/3740-3-0x0000000010000000-0x00000000103C5000-memory.dmp

Filesize
3.8MB

Download