35b5e878a15bb97c25d340c5dd65f118b3467605e209741002d2cba3a813318c

Analysis

max time kernel
140s
max time network
143s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 21:11

Target

35b5e878a15bb97c25d340c5dd65f118b3467605e209741002d2cba3a813318c.exe
Size

87KB
MD5

3d9ea9e6b52fee2a7b762e8de8957e15
SHA1

9ba4e63407c75f873aea5b1a480697319644a58c
SHA256

35b5e878a15bb97c25d340c5dd65f118b3467605e209741002d2cba3a813318c
SHA512

5f2013edb4d96ae1caaa4cac4dcc0fc0ffdbfb62d392e8a87d7d079cd31c5694a87bdccec5967a45dfada7516c08fd6b82300d18be49a56eb4b79fa14c7f0727
SSDEEP

1536:zeIb/GntmGcF7LVBReqx+476rVdQdpaUjmHo21yYD3H6rFgY893sLBqAOgShVKkH:zec/LGcFVsKdpaUi7yYDX6zJS9

Score

7^/10

upx

Executes dropped EXE 1 IoCs

Processes:

yaxkodila.exe

pid process

1876 yaxkodila.exe
Loads dropped DLL 1 IoCs

Processes:

35b5e878a15bb97c25d340c5dd65f118b3467605e209741002d2cba3a813318c.exe

pid process

2548 35b5e878a15bb97c25d340c5dd65f118b3467605e209741002d2cba3a813318c.exe

pid	process
1876	yaxkodila.exe

pid	process
2548	35b5e878a15bb97c25d340c5dd65f118b3467605e209741002d2cba3a813318c.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral1/memory/2548-0-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2548-6-0x0000000000400000-0x0000000000427000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\yaxkodila.exe	upx
behavioral1/memory/1876-8-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/1876-11-0x0000000000400000-0x0000000000427000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 icanhazip.com

flow	ioc
4	icanhazip.com

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

35b5e878a15bb97c25d340c5dd65f118b3467605e209741002d2cba3a813318c.exe

description	pid	process	target process
PID 2548 wrote to memory of 1876	2548	35b5e878a15bb97c25d340c5dd65f118b3467605e209741002d2cba3a813318c.exe	yaxkodila.exe
PID 2548 wrote to memory of 1876	2548	35b5e878a15bb97c25d340c5dd65f118b3467605e209741002d2cba3a813318c.exe	yaxkodila.exe
PID 2548 wrote to memory of 1876	2548	35b5e878a15bb97c25d340c5dd65f118b3467605e209741002d2cba3a813318c.exe	yaxkodila.exe
PID 2548 wrote to memory of 1876	2548	35b5e878a15bb97c25d340c5dd65f118b3467605e209741002d2cba3a813318c.exe	yaxkodila.exe

C:\Users\Admin\AppData\Local\Temp\yaxkodila.exe
C:\Users\Admin\AppData\Local\Temp\yaxkodila.exe
2⤵
- Executes dropped EXE
PID:1876

\Users\Admin\AppData\Local\Temp\yaxkodila.exe

Filesize
88KB

MD5
caa381b913bfb5f68581fca4470b3186

SHA1
cfc2dfef5afa425d6765cb11add1665b5a2bd017

SHA256
c547787bc2c639de3bf724ddb43fe3612e42f21421d0375b587ff25426c69df7

SHA512
6f4fa228ae87e2ec606e4145962b8a894e692e88c64306fbd2334d09e0c87aff3843fe3fc10127b1acb10a6436b0532141598aa56d79979485c0eefb73ddf589

Download Submit
memory/1876-10-0x0000000000415000-0x0000000000417000-memory.dmp

Filesize
8KB

Download
memory/1876-8-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1876-11-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2548-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2548-6-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download