bbcfe534618560a3cd72b8127f511c3547de0e24765beb09d6cbc6a0012fe73d

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/11/2024, 23:13

Target

Ravange.exe
Size

80.6MB
MD5

75788c90ee089a92585102dcf14fa3bc
SHA1

c2407571cf0466d808f1ec0d167b8118d958b8aa
SHA256

bbcfe534618560a3cd72b8127f511c3547de0e24765beb09d6cbc6a0012fe73d
SHA512

e514d1c7d705afca8185039717af5b8f0622576ce53053186d1eeacbf7e435e953cb06ebc79dc37f388cf26c6ccf6170294644be56213d6bd08e34ebbd6d9471
SSDEEP

1572864:pGKlqWLH00hSk8IpG7V+VPhqclE7plifiYgj+h58sMwAerlFipjcJ5j:gKMmNSkB05awcIwB5serqgj

Score

7^/10

upx

Loads dropped DLL 1 IoCs

pid	Process
1288	Ravange.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/files/0x0003000000020aad-1264.dat	upx

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 1288	2960	Ravange.exe	30
PID 2960 wrote to memory of 1288	2960	Ravange.exe	30
PID 2960 wrote to memory of 1288	2960	Ravange.exe	30

C:\Users\Admin\AppData\Local\Temp\Ravange.exe
"C:\Users\Admin\AppData\Local\Temp\Ravange.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Local\Temp\Ravange.exe
  "C:\Users\Admin\AppData\Local\Temp\Ravange.exe"
  2⤵
  - Loads dropped DLL
  PID:1288

C:\Users\Admin\AppData\Local\Temp\_MEI29602\python311.dll

Filesize
1.6MB

MD5
546cc5fe76abc35fdbf92f682124e23d

SHA1
5c1030752d32aa067b49125194befee7b3ee985a

SHA256
43bff2416ddd123dfb15d23dc3e99585646e8df95633333c56d85545029d1e76

SHA512
cb75334f2f36812f3a5efd500b2ad97c21033a7a7054220e58550e95c3408db122997fee70a319aef8db6189781a9f2c00a9c19713a89356038b87b036456720

Download Submit
memory/1288-1266-0x000007FEF5610000-0x000007FEF5BF9000-memory.dmp

Filesize
5.9MB

Download