2967568046ac1194d32e3163b20e488b670072bfbeb93686ea19f3cae7c3a63e

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-12-2024 04:42

Target

loader.exe
Size

80.5MB
MD5

fe881c14842784ffa354d02e89ac13a0
SHA1

af1eb137d94bb7817c3c76e3a53471eb303195cf
SHA256

2967568046ac1194d32e3163b20e488b670072bfbeb93686ea19f3cae7c3a63e
SHA512

2402dcf38100896da0cfe711aefbae06391504eea2c6d24930f27ad6244de9dba126a3b817d71d81e5d121d5153c3aa03a7abb5e64b5e2dbab4fcd38ddd334c9
SSDEEP

1572864:VGKlgWjysmwSk8IpG7V+VPhqHJE70bli08iYgj+h58sMw/DuJZeT:0KijsmwSkB05awHfw025LiJ

Score

7^/10

upx

Loads dropped DLL 1 IoCs

pid	Process
1400	loader.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/files/0x0003000000020acd-1264.dat	upx
behavioral1/memory/1400-1266-0x000007FEF56D0000-0x000007FEF5CB8000-memory.dmp	upx

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 1400	2556	loader.exe	31
PID 2556 wrote to memory of 1400	2556	loader.exe	31
PID 2556 wrote to memory of 1400	2556	loader.exe	31

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Local\Temp\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Loads dropped DLL
  PID:1400

C:\Users\Admin\AppData\Local\Temp\_MEI25562\python311.dll

Filesize
1.6MB

MD5
87b5d21226d74f069b5ae8fb74743236

SHA1
153651a542db095d0f9088a97351b90d02b307ac

SHA256
3cac88119657daef7f79844aeb9da79b45c1f3bb2ea3468b0d4ed26067852194

SHA512
788bb26b3f4ce99a2b49eef2742972fe843bdd97d361a6e67237f29376648ea6f874f1f6ba6dd53c74ef51a29e650a02fb99dfc30b5badfa9d2e05491f81d7d6

Download Submit
memory/1400-1266-0x000007FEF56D0000-0x000007FEF5CB8000-memory.dmp

Filesize
5.9MB

Download