dcf517b48094726367f1fdb2ace3f2cfd29f4f9710512f45ecb0109d03cc0dcc

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 07:18

Target

phost.exe
Size

7.5MB
MD5

8c43bf4445cac5fa025b9dfd07517b6f
SHA1

b7e9e405e3867213cd3e544574ceff70bef2b6fb
SHA256

dcf517b48094726367f1fdb2ace3f2cfd29f4f9710512f45ecb0109d03cc0dcc
SHA512

95097a7d6cbd1bf6ef197a740d70f98ba5dfd8081c3bee0f9f8e3bd100df36a949d5caa770c918f01f4c1d78227ba355026a3774ca2b06329fe6bc5bba00a8a3
SSDEEP

196608:oPvLjv+bhqNVoBLD7fEXEoYbiIv9pvvk9fIiZ1jA:ajL+9qz8LD7fEUbiIqQgpA

Score

7^/10

upx

Loads dropped DLL 1 IoCs

pid	Process
1948	phost.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/files/0x0005000000019622-21.dat	upx
behavioral1/memory/1948-23-0x000007FEF5340000-0x000007FEF5A10000-memory.dmp	upx

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 1948	1288	phost.exe	30
PID 1288 wrote to memory of 1948	1288	phost.exe	30
PID 1288 wrote to memory of 1948	1288	phost.exe	30

C:\Users\Admin\AppData\Local\Temp\phost.exe
"C:\Users\Admin\AppData\Local\Temp\phost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Users\Admin\AppData\Local\Temp\phost.exe
  "C:\Users\Admin\AppData\Local\Temp\phost.exe"
  2⤵
  - Loads dropped DLL
  PID:1948

C:\Users\Admin\AppData\Local\Temp\_MEI12882\python312.dll

Filesize
1.7MB

MD5
86d9b8b15b0340d6ec235e980c05c3be

SHA1
a03bdd45215a0381dcb3b22408dbc1f564661c73

SHA256
12dbbcd67015d6cdb680752184107b7deb84e906b0e8e860385f85d33858a5f6

SHA512
d360cc3f00d90fd04cbba09d879e2826968df0c1fdc44890c60b8450fe028c3e767450c3543c62d4f284fb7e004a9a33c52538c2279221ee6cbdb1a9485f88b2

Download Submit
memory/1948-23-0x000007FEF5340000-0x000007FEF5A10000-memory.dmp

Filesize
6.8MB

Download