ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9

Analysis

max time kernel
117s
max time network
124s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 13:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe
Size

20KB
MD5

a115788d9ac16c5e42c5d574c4296600
SHA1

1d294b44bb82e37c1492e46f000396e71465789f
SHA256

ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9
SHA512

92d7f18b3a9922818198bc16b72ec478caa64b72e5871c07b3f8df4565aba706e4b7e11311517be23b898f5ec7f70c05a8b31618b9e732e5956a577826af6cb9
SSDEEP

384:g58AcUoUQKNRYELxQUHDvmk3E+KDvB77777J77c77c77c72qh5hQLnBYmrd:g5BOFKksO1mE9B77777J77c77c77c71Y

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1968-69-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Kills process with taskkill 13 IoCs

evasion

pid	Process
976	TASKKILL.exe
1308	TASKKILL.exe
1692	TASKKILL.exe
1820	TASKKILL.exe
1536	TASKKILL.exe
540	TASKKILL.exe
932	TASKKILL.exe
836	TASKKILL.exe
1452	TASKKILL.exe
1872	TASKKILL.exe
1876	TASKKILL.exe
596	TASKKILL.exe
2036	TASKKILL.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	976	TASKKILL.exe
Token: SeDebugPrivilege	1308	TASKKILL.exe
Token: SeDebugPrivilege	836	TASKKILL.exe
Token: SeDebugPrivilege	932	TASKKILL.exe
Token: SeDebugPrivilege	1452	TASKKILL.exe
Token: SeDebugPrivilege	1876	TASKKILL.exe
Token: SeDebugPrivilege	1692	TASKKILL.exe
Token: SeDebugPrivilege	1536	TASKKILL.exe
Token: SeDebugPrivilege	1872	TASKKILL.exe
Token: SeDebugPrivilege	1820	TASKKILL.exe
Token: SeDebugPrivilege	540	TASKKILL.exe
Token: SeDebugPrivilege	596	TASKKILL.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 976	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	28
PID 1968 wrote to memory of 976	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	28
PID 1968 wrote to memory of 976	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	28
PID 1968 wrote to memory of 976	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	28
PID 1968 wrote to memory of 932	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	29
PID 1968 wrote to memory of 932	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	29
PID 1968 wrote to memory of 932	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	29
PID 1968 wrote to memory of 932	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	29
PID 1968 wrote to memory of 1308	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	31
PID 1968 wrote to memory of 1308	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	31
PID 1968 wrote to memory of 1308	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	31
PID 1968 wrote to memory of 1308	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	31
PID 1968 wrote to memory of 836	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	33
PID 1968 wrote to memory of 836	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	33
PID 1968 wrote to memory of 836	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	33
PID 1968 wrote to memory of 836	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	33
PID 1968 wrote to memory of 1452	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	35
PID 1968 wrote to memory of 1452	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	35
PID 1968 wrote to memory of 1452	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	35
PID 1968 wrote to memory of 1452	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	35
PID 1968 wrote to memory of 1872	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	36
PID 1968 wrote to memory of 1872	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	36
PID 1968 wrote to memory of 1872	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	36
PID 1968 wrote to memory of 1872	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	36
PID 1968 wrote to memory of 1876	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	38
PID 1968 wrote to memory of 1876	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	38
PID 1968 wrote to memory of 1876	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	38
PID 1968 wrote to memory of 1876	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	38
PID 1968 wrote to memory of 1692	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	40
PID 1968 wrote to memory of 1692	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	40
PID 1968 wrote to memory of 1692	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	40
PID 1968 wrote to memory of 1692	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	40
PID 1968 wrote to memory of 1536	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	45
PID 1968 wrote to memory of 1536	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	45
PID 1968 wrote to memory of 1536	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	45
PID 1968 wrote to memory of 1536	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	45
PID 1968 wrote to memory of 1820	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	44
PID 1968 wrote to memory of 1820	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	44
PID 1968 wrote to memory of 1820	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	44
PID 1968 wrote to memory of 1820	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	44
PID 1968 wrote to memory of 540	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	48
PID 1968 wrote to memory of 540	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	48
PID 1968 wrote to memory of 540	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	48
PID 1968 wrote to memory of 540	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	48
PID 1968 wrote to memory of 596	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	50
PID 1968 wrote to memory of 596	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	50
PID 1968 wrote to memory of 596	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	50
PID 1968 wrote to memory of 596	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	50
PID 1968 wrote to memory of 2036	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	51
PID 1968 wrote to memory of 2036	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	51
PID 1968 wrote to memory of 2036	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	51
PID 1968 wrote to memory of 2036	1968	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	51

C:\Users\Admin\AppData\Local\Temp\ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe
"C:\Users\Admin\AppData\Local\Temp\ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:976
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM services.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:932
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1308
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:836
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1452
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1876
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1820
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM services.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:540
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:596
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
  2⤵
  - Kills process with taskkill
  PID:2036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1968-69-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download