cbe72bddd72e482fe141a01202878031d3959f1e4df675872094e38d30f821ea

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 11:15

Target

Bober.su.exe
Size

7.4MB
MD5

6e546ac9997b820e109fd7b3b50a444b
SHA1

4ec0f21203a8c17bed27092749917298676a07cb
SHA256

cbe72bddd72e482fe141a01202878031d3959f1e4df675872094e38d30f821ea
SHA512

f3ba186d39df8e83052e93765ce8e9447f9a63c4654092a2b90b7f1ddbf539fd534a4020af0289d5fb572017fe44c268db48a46b294118585529f66e819b27ed
SSDEEP

196608:Er3l8PELjv+bhqNVoB0SEsucQZ41JBbIP11tJD:c8PEL+9qz80SJHQK1Jy1vJD

Score

7^/10

upx

Loads dropped DLL 1 IoCs

pid	Process
1200	Bober.su.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/files/0x00050000000195fb-21.dat	upx
behavioral1/memory/1200-23-0x000007FEF63A0000-0x000007FEF698E000-memory.dmp	upx

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1200	1712	Bober.su.exe	30
PID 1712 wrote to memory of 1200	1712	Bober.su.exe	30
PID 1712 wrote to memory of 1200	1712	Bober.su.exe	30

C:\Users\Admin\AppData\Local\Temp\Bober.su.exe
"C:\Users\Admin\AppData\Local\Temp\Bober.su.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\Bober.su.exe
  "C:\Users\Admin\AppData\Local\Temp\Bober.su.exe"
  2⤵
  - Loads dropped DLL
  PID:1200

C:\Users\Admin\AppData\Local\Temp\_MEI17122\python311.dll

Filesize
1.6MB

MD5
76eb1ad615ba6600ce747bf1acde6679

SHA1
d3e1318077217372653be3947635b93df68156a4

SHA256
30be871735591ad96bc3fc7e541cdef474366159c2f7443feb30739cbd2db7e1

SHA512
2b960e74dd73f61d6a44fef0de9f2d50bcf2ec856b7aa5b97f0107e3cdadea461790760668a67db2ecaf71ff323133ee39ce2b38aafff3629c14e736d6a64aeb

Download Submit
memory/1200-23-0x000007FEF63A0000-0x000007FEF698E000-memory.dmp

Filesize
5.9MB

Download