8c86b9189a3a960d7497e3452e61d6459b80065ab442cebb6f9b4d94b5990303

Analysis

max time kernel
119s
max time network
126s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
24/11/2024, 16:32

Target

theone.exe
Size

78.4MB
MD5

1f12b432ddbddf37c0f4efa3a21621a6
SHA1

faf84e657a9b363625473604a0eafffd882a29a8
SHA256

8c86b9189a3a960d7497e3452e61d6459b80065ab442cebb6f9b4d94b5990303
SHA512

8ee7a05eb2882ec05532c90067f9b5a6ca4b0c5240d37c6e4fce3ba55ec3e554c582cae714ef11f384c4ae1186f9a2d522ebb2a4dfc7f5a196e6cb08475920d1
SSDEEP

1572864:01l9Wg0hSk8IpG7V+VPhqQ2dfzE7RlhTRiYweyJulZUdg1hWbYysV3O/v:01HmSkB05awRfWLapuxhUkiv

Score

7^/10

upx

Loads dropped DLL 1 IoCs

pid	Process
3000	theone.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/files/0x0003000000020ac5-1270.dat	upx

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 3000	2556	theone.exe	31
PID 2556 wrote to memory of 3000	2556	theone.exe	31
PID 2556 wrote to memory of 3000	2556	theone.exe	31

C:\Users\Admin\AppData\Local\Temp\theone.exe
"C:\Users\Admin\AppData\Local\Temp\theone.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Local\Temp\theone.exe
  "C:\Users\Admin\AppData\Local\Temp\theone.exe"
  2⤵
  - Loads dropped DLL
  PID:3000

C:\Users\Admin\AppData\Local\Temp\_MEI25562\python312.dll

Filesize
1.7MB

MD5
36e9be7e881d1dc29295bf7599490241

SHA1
5b6746aedac80f0e6f16fc88136bcdcbd64b3c65

SHA256
ebef43e92267a17f44876c702c914aafa46b997b63223ff46b12149fd2a2616e

SHA512
090d4e9092b7fe00180164b6f84b4bd1d1a1e12dc8fea042eaa0e75cc08bb9994c91c3853bedec390208db4ef2e3447cd9be20d7dc20c14e6deb52a141d554cf

Download Submit
memory/3000-1272-0x000007FEF6190000-0x000007FEF6855000-memory.dmp

Filesize
6.8MB

Download