28514f796c87d65f3ec176d2573a4fc0d8fb3e456706a2bcaa7a15700a4b3e8f

Analysis

max time kernel
2s
max time network
6s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
14-01-2025 00:02

Target

Nebula.exe
Size

17.7MB
MD5

18e7be26e2d977a1329e85c94ea6b3ca
SHA1

288c79040a1d8f1cc969355529d653c623c25b8c
SHA256

28514f796c87d65f3ec176d2573a4fc0d8fb3e456706a2bcaa7a15700a4b3e8f
SHA512

deab6e1ea32ffb428e827120a78591560c79a604b2d34fc1f5bea639d317e0852a9846b06b6017999d9bb30c8452c4cb59680c8a40f24522d33f6e1db98400f1
SSDEEP

393216:WqPnLFXltZK9Qf8nAB3Q0GhgiRSSCvEuX3X/ZLx:7PLFXtK9Q0kAX7RSSb4XF

Score

7^/10

upx

Loads dropped DLL 1 IoCs

pid	Process
1652	Nebula.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/files/0x000500000001c848-112.dat	upx

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 1652	2824	Nebula.exe	30
PID 2824 wrote to memory of 1652	2824	Nebula.exe	30
PID 2824 wrote to memory of 1652	2824	Nebula.exe	30

C:\Users\Admin\AppData\Local\Temp\Nebula.exe
"C:\Users\Admin\AppData\Local\Temp\Nebula.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Local\Temp\Nebula.exe
  "C:\Users\Admin\AppData\Local\Temp\Nebula.exe"
  2⤵
  - Loads dropped DLL
  PID:1652

C:\Users\Admin\AppData\Local\Temp\_MEI28242\python310.dll

Filesize
1.4MB

MD5
cb0b4cf4ee16344ab13914c95e2ef4ce

SHA1
ba7a0b9d76e9dccdc6097d7e98ec0d20879e1c61

SHA256
a2b591ecadbd12bd1cd6e1c231bff1e814b71e9e99ffca450ece2f736e5ef1b6

SHA512
cdc9ad107a275bbe8e93c06f6dd0d2a2c1ac13df92a216fb98485583ecfb6e3d92f2c87c4dd80aceb05f3e9a4113468e60891ef4e3245386eb30201927384dd5

Download Submit
memory/1652-114-0x000007FEF6900000-0x000007FEF6D66000-memory.dmp

Filesize
4.4MB

Download