Overview

overview

10

Static

static

8

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    tmp

  • Size

    532KB

  • Sample

    221115-pybwcadh86

  • MD5

    cba9caa64e418a546044daa8744800b3

  • SHA1

    72060361b8a025ea3e132f6015cb20a87d3dff44

  • SHA256

    9aa8880ca3650ef28c7a1dd5869a4d720ca0f62bda8ada3fcd86226b6f20e123

  • SHA512

    aac883eb4a0d5718d64a592632d1270c3f7ab8b8e1555f0c0a940922bc325dc07dea44a09ea3da0a0e834a4b266f1d6eb20b54523811c5992abbfc9bc56e4129

  • SSDEEP

    12288:u5m8ZlWk6VT6qIm9qCZb5rTa8kdVXpP1PIU/bB6h1a15:5O+DD9qCZb5rTa8UPPRP/bkar

Score
10/10
discoveryevasionexploitupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://chocolatey.org/install.ps1

Targets

    • Target

      tmp

    • Size

      532KB

    • MD5

      cba9caa64e418a546044daa8744800b3

    • SHA1

      72060361b8a025ea3e132f6015cb20a87d3dff44

    • SHA256

      9aa8880ca3650ef28c7a1dd5869a4d720ca0f62bda8ada3fcd86226b6f20e123

    • SHA512

      aac883eb4a0d5718d64a592632d1270c3f7ab8b8e1555f0c0a940922bc325dc07dea44a09ea3da0a0e834a4b266f1d6eb20b54523811c5992abbfc9bc56e4129

    • SSDEEP

      12288:u5m8ZlWk6VT6qIm9qCZb5rTa8kdVXpP1PIU/bB6h1a15:5O+DD9qCZb5rTa8UPPRP/bkar

    Score
    10/10
    discoveryevasionexploitupx

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Possible privilege escalation attempt

      exploit

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Modifies file permissions

      discovery

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

File Permissions Modification

1
T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks