18b35ae3626acb00ab08c540524a63740af187aa772f22fd33de6b8fd00afd3d

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-11-2024 16:38

Target

PhoneSpammerIL.exe
Size

17.8MB
MD5

192a9969fc2cb8506eebfb8510a8317a
SHA1

49a9934a7fd0f0c7669ad9ee7d03dadbd2acbaeb
SHA256

18b35ae3626acb00ab08c540524a63740af187aa772f22fd33de6b8fd00afd3d
SHA512

cfb28a8910f4d6569eb053ac8199d5698e4038984fb5917bfbfee0ba05990676a67678cb8743effb41cfb555ad4b3d082207b53529e13d9d896e83caacdbeb21
SSDEEP

393216:kqPnLFXlcHK9Qc8nAB3Q0GKygbcnNjHHvEa9/fP21Xtmo:FPLFXOK9QFkAJUcnNjHsmfPho

Score

7^/10

upx

Loads dropped DLL 1 IoCs

pid	Process
1720	PhoneSpammerIL.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/files/0x000500000001a4f0-112.dat	upx

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 1720	548	PhoneSpammerIL.exe	31
PID 548 wrote to memory of 1720	548	PhoneSpammerIL.exe	31
PID 548 wrote to memory of 1720	548	PhoneSpammerIL.exe	31

C:\Users\Admin\AppData\Local\Temp\PhoneSpammerIL.exe
"C:\Users\Admin\AppData\Local\Temp\PhoneSpammerIL.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:548
- C:\Users\Admin\AppData\Local\Temp\PhoneSpammerIL.exe
  "C:\Users\Admin\AppData\Local\Temp\PhoneSpammerIL.exe"
  2⤵
  - Loads dropped DLL
  PID:1720

C:\Users\Admin\AppData\Local\Temp\_MEI5482\python310.dll

Filesize
1.4MB

MD5
cb0b4cf4ee16344ab13914c95e2ef4ce

SHA1
ba7a0b9d76e9dccdc6097d7e98ec0d20879e1c61

SHA256
a2b591ecadbd12bd1cd6e1c231bff1e814b71e9e99ffca450ece2f736e5ef1b6

SHA512
cdc9ad107a275bbe8e93c06f6dd0d2a2c1ac13df92a216fb98485583ecfb6e3d92f2c87c4dd80aceb05f3e9a4113468e60891ef4e3245386eb30201927384dd5

Download Submit
memory/1720-114-0x000007FEF62A0000-0x000007FEF6706000-memory.dmp

Filesize
4.4MB

Download