a2676038aeee24af09b0464a1244f34f95dcf2cb4cb883753ef66a0e9213e47a

Analysis

max time kernel
3s
max time network
102s
platform
windows7_x64
resource
win7-20220414-en
submitted
30-06-2022 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2676038aeee24af09b0464a1244f34f95dcf2cb4cb883753ef66a0e9213e47a.exe
Size

4.4MB
MD5

364526dd099a238f2351e994be7a912c
SHA1

d8f39848296c18372421bba022bd62a688adcd0c
SHA256

a2676038aeee24af09b0464a1244f34f95dcf2cb4cb883753ef66a0e9213e47a
SHA512

67ab390b2635c36f180659401f4877bc72600bc27b53c46b06ca9f08eb82e5a3449069a9c6463e43d7803e3741ce86569c97c822f018405b54599981286512ed

Score

8^/10

discovery upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/552-54-0x0000000000400000-0x0000000004B72000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

1464 rundll32.exe
1464 rundll32.exe
1464 rundll32.exe
1464 rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 1464 rundll32.exe

pid	process
1464	rundll32.exe
1464	rundll32.exe
1464	rundll32.exe
1464	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1464	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

a2676038aeee24af09b0464a1244f34f95dcf2cb4cb883753ef66a0e9213e47a.exe

description	pid	process	target process
PID 552 wrote to memory of 1464	552	a2676038aeee24af09b0464a1244f34f95dcf2cb4cb883753ef66a0e9213e47a.exe	rundll32.exe
PID 552 wrote to memory of 1464	552	a2676038aeee24af09b0464a1244f34f95dcf2cb4cb883753ef66a0e9213e47a.exe	rundll32.exe
PID 552 wrote to memory of 1464	552	a2676038aeee24af09b0464a1244f34f95dcf2cb4cb883753ef66a0e9213e47a.exe	rundll32.exe
PID 552 wrote to memory of 1464	552	a2676038aeee24af09b0464a1244f34f95dcf2cb4cb883753ef66a0e9213e47a.exe	rundll32.exe
PID 552 wrote to memory of 1464	552	a2676038aeee24af09b0464a1244f34f95dcf2cb4cb883753ef66a0e9213e47a.exe	rundll32.exe
PID 552 wrote to memory of 1464	552	a2676038aeee24af09b0464a1244f34f95dcf2cb4cb883753ef66a0e9213e47a.exe	rundll32.exe
PID 552 wrote to memory of 1464	552	a2676038aeee24af09b0464a1244f34f95dcf2cb4cb883753ef66a0e9213e47a.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\a2676038aeee24af09b0464a1244f34f95dcf2cb4cb883753ef66a0e9213e47a.exe
"C:\Users\Admin\AppData\Local\Temp\a2676038aeee24af09b0464a1244f34f95dcf2cb4cb883753ef66a0e9213e47a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\A26760~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\A26760~1.EXE
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\A26760~1.DLL,GxIJjBzdApg=
3⤵
PID:1264

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A26760~1.DLL
Filesize
25KB

MD5
7a55fd699f21c2b544da43ca09816c9e

SHA1
1da58a5f6bc6525fff22b92410194fb35187b92d

SHA256
ef85da09af3dfa46582a211597328f0ded9176993b0aa871157f2fa3a20590fb

SHA512
b5847bf2c7708420fb26dcf0b2a0137641d7992f8d9b254da06261dca44c857f1f22f9cc92777292e81193e761c01ada220d6db1b74a6d78005ad9d9a01a5a43

Download Submit
\Users\Admin\AppData\Local\Temp\A26760~1.DLL
Filesize
33KB

MD5
9c6126cb7914f87e1471ff0adc1b9f39

SHA1
6ec635469eef1b124f55843d6b35cda1c31e2274

SHA256
a4786661635cfb8293c5aee0635598d37300ba7b6f0520d4bbc8bdf63120be5d

SHA512
10206119ad7050b3114719c656c31fa84e2f7c1e43409131e5a9dbfb07147abff98b1635f50f7a36cad868a7b2bb32d86cef1ac20174ef58df9bac8c39eed547

Download Submit
\Users\Admin\AppData\Local\Temp\A26760~1.DLL
Filesize
28KB

MD5
8a9941795cbd33e013642420a47a2d64

SHA1
ee965b844a32531d4e69ef08cbc82969ead71525

SHA256
59d8fe981d71c20c590296a911c862b34e90e07086722e9dd5022f2e754a1502

SHA512
4dab19e340d45ef8b3e98398af5433ab1c74a61c13bbbd26f8ac6a01945405c1696292fa52301e17e69fb21ef341be16f7d1b118dda831aba203508ff1b5d5d2

Download Submit
\Users\Admin\AppData\Local\Temp\A26760~1.DLL
Filesize
21KB

MD5
d6d227a9bfd90ebf0d37ec0dd50fef14

SHA1
4d023e42f97544077bbeaceaf7a149fec8e73562

SHA256
f37eb6ab61669950c5fab03ce24db9de9d80bd80691cc0e7fe5a0ccc6c77c643

SHA512
a4aa2c6c05e04cef2fd604a57181c01e81a93ccc6e2d79f46b7034cb7558b4965feba51d33443787d154d57500e4bec513986d66597e810db94cdf45983fcf3e

Download Submit
\Users\Admin\AppData\Local\Temp\A26760~1.DLL
Filesize
35KB

MD5
95c0143412c478c062ba76ea6ac5ca14

SHA1
19d10733ac61bab38a6876a4ba02e0fafc160828

SHA256
6f7cc49f6de348cdf50ca6e582bc3985218ccc339d8a65a4870a598a18e35000

SHA512
d335125ce16b079fac94fafe976fbe6e53b8d45c2b1997845d7306b43bfe7d488fd14cb74076114625e61ef49f4b0c60b60abccf6e1585e9485cb2fcf3e71ee5

Download Submit
\Users\Admin\AppData\Local\Temp\A26760~1.DLL
Filesize
16KB

MD5
e3a57825bc8a280b399ae10cd0ade3d1

SHA1
2526ba48fa05bfbc57555714c6efd86bd70e7411

SHA256
9cd0f6d1a1e2fc6a58959b7620172d6532259492182a457a6abb31e915d6f3f2

SHA512
78e038c0e0fac8f4d85fd6c40b9eeceaf31499064dcef47b0d25a5652003b34695ac2fad68eb99b93d2c2a149517f3f2202207459851fb68ab0395595d1ab0c8

Download Submit
\Users\Admin\AppData\Local\Temp\A26760~1.DLL
Filesize
21KB

MD5
b5992d7d2c2aa26f8be0592bc129e198

SHA1
f5aa80b7344c27dd376a7ea26abf801636c734a5

SHA256
df64362093ff825b970d16b633b89c3bba51f407e2baf6a4df2a87beb0a55ee3

SHA512
91fd7e7815d5b1c65dbcd35cc371f130b07cc4051a9428795fa29881870004765b4919a4180946640d7a6f137fbe17423afe3efaf7c3cebf98bc5a54df431436

Download Submit
\Users\Admin\AppData\Local\Temp\A26760~1.DLL
Filesize
18KB

MD5
a3a65819962a902b74eda74d87100bbb

SHA1
6a6b6e853156e8643408d8e18bc2c5f425971376

SHA256
4f6681d515fd4c2c3755b6832df31bd7f747bcf87e73415ceb4d9219c9d77e85

SHA512
047d9fb683ff42b21b17e29e649c3ea2cbebd34032f3b367decaba7127d71968d27ce62e497600a3cfa55eb8f9e6668242d911234b4f262d025c84e137bbe36c

Download Submit
\Users\Admin\AppData\Local\Temp\A26760~1.DLL
Filesize
5KB

MD5
2df8ad7409e26f43522bbbc2e1543eb3

SHA1
4965aecac8e24f75d24c048a42fed47f434c3171

SHA256
d5b4b5f2ea5b8e9e61a5001758f2910abd304b5b2f4d542855c2eb1dfbcbbcd1

SHA512
38ef34d455b7902c14e8d7fe099c3752c87270c9a975be34a462494b63472d9fa77491cc79b565be652eac246cd2392a7032636241efb203e984970058bea652

Download Submit
memory/552-54-0x0000000000400000-0x0000000004B72000-memory.dmp

Filesize
71.4MB

Download
memory/552-59-0x0000000004D40000-0x000000000510A000-memory.dmp

Filesize
3.8MB

Download
memory/552-60-0x0000000000400000-0x0000000004B72000-memory.dmp

Filesize
71.4MB

Download
memory/552-55-0x0000000005110000-0x00000000054EC000-memory.dmp

Filesize
3.9MB

Download
memory/552-67-0x0000000000400000-0x0000000004B72000-memory.dmp

Filesize
71.4MB

Download
memory/552-56-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download
memory/1264-78-0x00000000028A0000-0x0000000002EFF000-memory.dmp

Filesize
6.4MB

Download
memory/1264-75-0x0000000002200000-0x00000000025CB000-memory.dmp

Filesize
3.8MB

Download
memory/1264-69-0x0000000000000000-mapping.dmp

Download
memory/1264-77-0x00000000028A0000-0x0000000002EFF000-memory.dmp

Filesize
6.4MB

Download
memory/1464-76-0x0000000002580000-0x0000000002BDF000-memory.dmp

Filesize
6.4MB

Download
memory/1464-66-0x0000000001CA0000-0x000000000206B000-memory.dmp

Filesize
3.8MB

Download
memory/1464-57-0x0000000000000000-mapping.dmp

Download
memory/1464-68-0x0000000002580000-0x0000000002BDF000-memory.dmp

Filesize
6.4MB

Download