1796c962f334eb3814163ed6d09b3c29a4b08f545d12663b3b3c8ec0093acba0

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 01:35

Target

Rezama-executor.exe
Size

7.7MB
MD5

5de3184d440140d7a463c50450fcc250
SHA1

da7bcf23c2b43383564b3e759d71650f4ed65cfa
SHA256

1796c962f334eb3814163ed6d09b3c29a4b08f545d12663b3b3c8ec0093acba0
SHA512

a1198a60c36e34ed3c18ae68944a8fec6a0cee6fdc70140ac212171300810933ea197611d8358bb272e0a72bc4a5cb4f663d9fa69583bf237f5dbed474fb53fb
SSDEEP

196608:IVD+kdqwfI9jUCBB7m+mKOY7rXrZusoSDmhfvsbnTNeWV:I5TIHL7HmBYXrYSaUN3

Score

7^/10

upx

Loads dropped DLL 1 IoCs

pid	Process
580	Rezama-executor.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/files/0x00050000000195fe-21.dat	upx

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 580	2084	Rezama-executor.exe	31
PID 2084 wrote to memory of 580	2084	Rezama-executor.exe	31
PID 2084 wrote to memory of 580	2084	Rezama-executor.exe	31

C:\Users\Admin\AppData\Local\Temp\Rezama-executor.exe
"C:\Users\Admin\AppData\Local\Temp\Rezama-executor.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\Rezama-executor.exe
  "C:\Users\Admin\AppData\Local\Temp\Rezama-executor.exe"
  2⤵
  - Loads dropped DLL
  PID:580

C:\Users\Admin\AppData\Local\Temp\_MEI20842\python313.dll

Filesize
1.8MB

MD5
9a3d3ae5745a79d276b05a85aea02549

SHA1
a5e60cac2ca606df4f7646d052a9c0ea813e7636

SHA256
09693bab682495b01de8a24c435ca5900e11d2d0f4f0807dae278b3a94770889

SHA512
46840b820ee3c0fa511596124eb364da993ec7ae1670843a15afd40ac63f2c61846434be84d191bd53f7f5f4e17fad549795822bb2b9c792ac22a1c26e5adf69

Download Submit
memory/580-23-0x000007FEF6190000-0x000007FEF67F5000-memory.dmp

Filesize
6.4MB

Download