3ff44eb6fa09e30244985b6eaf8d466811665f5cc9c1dc95be14323e5f35bd1d

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-12-2024 00:05

Target

FORVM.exe
Size

75.8MB
MD5

b7c62163cc728e732b7a02cf8895c131
SHA1

6c7a8c9fba1c9652c5614c8733c5f15a6105ad24
SHA256

3ff44eb6fa09e30244985b6eaf8d466811665f5cc9c1dc95be14323e5f35bd1d
SHA512

3b75f8eb10609f77020900c3465658e49984c898eb082d1ceaea112ca2374d781e49903b168d68f4bd4c52fcf71a45bf40965de031eed1d650fbb6ab648afa7c
SSDEEP

1572864:F8Vl3WqomcSk8IpG7V+VPhqIUE7W0lKtFiY4MHHLeqPNLtDaNYeVZZIdcN:FKBtomcSkB05awIA0MoMHVLteNBVAdc

Score

7^/10

upx

Loads dropped DLL 1 IoCs

pid	Process
2104	FORVM.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/files/0x0003000000020b08-1267.dat	upx
behavioral1/memory/2104-1269-0x000007FEF62D0000-0x000007FEF673E000-memory.dmp	upx

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2104	3016	FORVM.exe	31
PID 3016 wrote to memory of 2104	3016	FORVM.exe	31
PID 3016 wrote to memory of 2104	3016	FORVM.exe	31

C:\Users\Admin\AppData\Local\Temp\FORVM.exe
"C:\Users\Admin\AppData\Local\Temp\FORVM.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\FORVM.exe
  "C:\Users\Admin\AppData\Local\Temp\FORVM.exe"
  2⤵
  - Loads dropped DLL
  PID:2104

C:\Users\Admin\AppData\Local\Temp\_MEI30162\python310.dll

Filesize
1.4MB

MD5
933b49da4d229294aad0c6a805ad2d71

SHA1
9828e3ce504151c2f933173ef810202d405510a4

SHA256
ab3e996db016ba87004a3c4227313a86919ff6195eb4b03ac1ce523f126f2206

SHA512
6023188f3b412dd12c2d4f3a8e279dcace945b6e24e1f6bbd4e49a5d2939528620ceb9a5f77b9a47d2d0454e472e2999240b81bed0239e7e400a4e25c96e1165

Download Submit
memory/2104-1269-0x000007FEF62D0000-0x000007FEF673E000-memory.dmp

Filesize
4.4MB

Download