338ca004e1994a33896b5604ce2c54ed66c9a4458713f1155f367bcf1101c108

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-06-2024 07:46

Target

Hellion.exe
Size

9.4MB
MD5

a464856f099bb1fadf24702ea369eb62
SHA1

c2da84edd2cda1d98f3bad5d3231888cc2afe211
SHA256

338ca004e1994a33896b5604ce2c54ed66c9a4458713f1155f367bcf1101c108
SHA512

90360c36179a9d1de37fb4221330f3f6acfb593080fa5dd31901c3e46181faee35d5b4f4762702a70aee46c990edf75f8dac3505390892498f0a8fa0b583272a
SSDEEP

196608:ihIQTxzKISwLRXgWPmpzdhqiYB6yD+KdWrC8o/1:iTxzh5L1V8d8BR53

Score

7^/10

upx

Loads dropped DLL 1 IoCs

pid	Process
1700	Hellion.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/files/0x0006000000017458-46.dat	upx

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 1700	1812	Hellion.exe	28
PID 1812 wrote to memory of 1700	1812	Hellion.exe	28
PID 1812 wrote to memory of 1700	1812	Hellion.exe	28

C:\Users\Admin\AppData\Local\Temp\Hellion.exe
"C:\Users\Admin\AppData\Local\Temp\Hellion.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Users\Admin\AppData\Local\Temp\Hellion.exe
  "C:\Users\Admin\AppData\Local\Temp\Hellion.exe"
  2⤵
  - Loads dropped DLL
  PID:1700

C:\Users\Admin\AppData\Local\Temp\_MEI18122\python310.dll

Filesize
1.4MB

MD5
259f0b7b6eed52d7766fa294ee0db193

SHA1
f158995508e460c47748666219a54ee575973397

SHA256
9b88ca9240770931a2041e6d05ad4508b391859f8ed3603303935dcc1e55c406

SHA512
7efd3402d4cbd1146444fdab5eeb4a8aab6fec04b718761da3e0fd417d67e9576fc354737b3453f9e9c12210f1930e6eadd7c0570242b0c8a548fdb92051360c

Download Submit
memory/1700-48-0x000007FEF5C00000-0x000007FEF6066000-memory.dmp

Filesize
4.4MB

Download