335e38a7985a1357ffe96c98258a8a8a4e10897a3a5bd97c06de9a8f5bc98c7b

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-09-2024 15:45

Target

ExmPaidTweaks.exe
Size

7.4MB
MD5

fb85c9ed03b0ba5a1cb056918422b013
SHA1

68e862e622451164142f5143965109097daf3353
SHA256

335e38a7985a1357ffe96c98258a8a8a4e10897a3a5bd97c06de9a8f5bc98c7b
SHA512

832978b77aae80cf12d6feea3bb54c7c5766985e0279c78d4164b2499e8b9c1269f6ce709e4b899fe4687240f47f3673803f29804063c6a7c5ae96468c2178f0
SSDEEP

196608:jY8PgLjv+bhqNVoB0SEsucQZ41JBbIR11tY:c8PwL+9qz80SJHQK1JI1vY

Score

7^/10

upx

Loads dropped DLL 1 IoCs

pid	Process
2092	ExmPaidTweaks.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/files/0x0005000000019428-21.dat	upx

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2092	2936	ExmPaidTweaks.exe	30
PID 2936 wrote to memory of 2092	2936	ExmPaidTweaks.exe	30
PID 2936 wrote to memory of 2092	2936	ExmPaidTweaks.exe	30

C:\Users\Admin\AppData\Local\Temp\ExmPaidTweaks.exe
"C:\Users\Admin\AppData\Local\Temp\ExmPaidTweaks.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Local\Temp\ExmPaidTweaks.exe
  "C:\Users\Admin\AppData\Local\Temp\ExmPaidTweaks.exe"
  2⤵
  - Loads dropped DLL
  PID:2092

C:\Users\Admin\AppData\Local\Temp\_MEI29362\python311.dll

Filesize
1.6MB

MD5
76eb1ad615ba6600ce747bf1acde6679

SHA1
d3e1318077217372653be3947635b93df68156a4

SHA256
30be871735591ad96bc3fc7e541cdef474366159c2f7443feb30739cbd2db7e1

SHA512
2b960e74dd73f61d6a44fef0de9f2d50bcf2ec856b7aa5b97f0107e3cdadea461790760668a67db2ecaf71ff323133ee39ce2b38aafff3629c14e736d6a64aeb

Download Submit
memory/2092-23-0x000007FEF5F80000-0x000007FEF656E000-memory.dmp

Filesize
5.9MB

Download