49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608

Analysis

max time kernel
170s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608.exe
Size

1.5MB
MD5

88d379f82097fdb50c0b9a55fdb9e2f5
SHA1

b8eccb9bbc517e6c13a7331fbf87b1b39cf2f477
SHA256

49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608
SHA512

38d7a88e2c68adc9e3968e781a51b1a9aa8249fdf6df53129bc82c104b77c1169852b545dc6c9a47855507487e5fd41c34c3a2f7b0510e4ac8c0589102337f6e
SSDEEP

49152:mcYTuIXq4/kdbS3/eE0XgvRt8eNZmeifNq4t:mXiEK8xggvhNZmeifNV

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
4872	FB_8DF3.tmp.exe
5096	FB_A4E7.tmp.exe
928	FB_A814.tmp.exe
1656	FB_8DF3.tmp.exe
4484	FB_A4E7.tmp.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4484-161-0x0000000000400000-0x0000000000419000-memory.dmp	upx

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4632 set thread context of 5052	4632	49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608.exe	87
PID 4872 set thread context of 1656	4872	FB_8DF3.tmp.exe	92
PID 5096 set thread context of 4484	5096	FB_A4E7.tmp.exe	93

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4632	49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608.exe
Token: SeDebugPrivilege	4872	FB_8DF3.tmp.exe
Token: SeDebugPrivilege	5096	FB_A4E7.tmp.exe
Token: SeDebugPrivilege	928	FB_A814.tmp.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4632 wrote to memory of 5052	4632	49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608.exe	87
PID 4632 wrote to memory of 5052	4632	49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608.exe	87
PID 4632 wrote to memory of 5052	4632	49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608.exe	87
PID 4632 wrote to memory of 5052	4632	49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608.exe	87
PID 4632 wrote to memory of 5052	4632	49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608.exe	87
PID 4632 wrote to memory of 5052	4632	49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608.exe	87
PID 4632 wrote to memory of 5052	4632	49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608.exe	87
PID 4632 wrote to memory of 5052	4632	49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608.exe	87
PID 4632 wrote to memory of 5052	4632	49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608.exe	87
PID 5052 wrote to memory of 4872	5052	AppLaunch.exe	88
PID 5052 wrote to memory of 4872	5052	AppLaunch.exe	88
PID 5052 wrote to memory of 4872	5052	AppLaunch.exe	88
PID 5052 wrote to memory of 5096	5052	AppLaunch.exe	89
PID 5052 wrote to memory of 5096	5052	AppLaunch.exe	89
PID 5052 wrote to memory of 5096	5052	AppLaunch.exe	89
PID 5052 wrote to memory of 928	5052	AppLaunch.exe	90
PID 5052 wrote to memory of 928	5052	AppLaunch.exe	90
PID 5052 wrote to memory of 928	5052	AppLaunch.exe	90
PID 4872 wrote to memory of 1656	4872	FB_8DF3.tmp.exe	92
PID 4872 wrote to memory of 1656	4872	FB_8DF3.tmp.exe	92
PID 4872 wrote to memory of 1656	4872	FB_8DF3.tmp.exe	92
PID 4872 wrote to memory of 1656	4872	FB_8DF3.tmp.exe	92
PID 4872 wrote to memory of 1656	4872	FB_8DF3.tmp.exe	92
PID 4872 wrote to memory of 1656	4872	FB_8DF3.tmp.exe	92
PID 4872 wrote to memory of 1656	4872	FB_8DF3.tmp.exe	92
PID 4872 wrote to memory of 1656	4872	FB_8DF3.tmp.exe	92
PID 5096 wrote to memory of 4484	5096	FB_A4E7.tmp.exe	93
PID 5096 wrote to memory of 4484	5096	FB_A4E7.tmp.exe	93
PID 5096 wrote to memory of 4484	5096	FB_A4E7.tmp.exe	93
PID 5096 wrote to memory of 4484	5096	FB_A4E7.tmp.exe	93
PID 5096 wrote to memory of 4484	5096	FB_A4E7.tmp.exe	93
PID 5096 wrote to memory of 4484	5096	FB_A4E7.tmp.exe	93
PID 5096 wrote to memory of 4484	5096	FB_A4E7.tmp.exe	93

C:\Users\Admin\AppData\Local\Temp\49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608.exe
"C:\Users\Admin\AppData\Local\Temp\49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Users\Admin\AppData\Local\Temp\FB_8DF3.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\FB_8DF3.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4872
  - - C:\Users\Admin\AppData\Local\Temp\FB_8DF3.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\FB_8DF3.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:1656
- - C:\Users\Admin\AppData\Local\Temp\FB_A4E7.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\FB_A4E7.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Users\Admin\AppData\Local\Temp\FB_A4E7.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\FB_A4E7.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:4484
- - C:\Users\Admin\AppData\Local\Temp\FB_A814.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\FB_A814.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FB_8DF3.tmp.exe

Filesize
375KB

MD5
e70554626613b71cad3ee25fedc14860

SHA1
44a6ee6a6fa305f6361e9c22bd81b65b7c73d029

SHA256
d1a69a078b42b37ca36b10a42004a1c24772eec70b2c81e99e29b7c8fe64d2c8

SHA512
a7db08e98daa5bd0d9c520736ce24bf43ad77818f16cdbe8f99d50f5bb8d26499a08fcd0e164121ce96c84518c2aea01027e685c6688f37f5ed91edf08465f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_8DF3.tmp.exe

Filesize
375KB

MD5
e70554626613b71cad3ee25fedc14860

SHA1
44a6ee6a6fa305f6361e9c22bd81b65b7c73d029

SHA256
d1a69a078b42b37ca36b10a42004a1c24772eec70b2c81e99e29b7c8fe64d2c8

SHA512
a7db08e98daa5bd0d9c520736ce24bf43ad77818f16cdbe8f99d50f5bb8d26499a08fcd0e164121ce96c84518c2aea01027e685c6688f37f5ed91edf08465f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_8DF3.tmp.exe

Filesize
375KB

MD5
e70554626613b71cad3ee25fedc14860

SHA1
44a6ee6a6fa305f6361e9c22bd81b65b7c73d029

SHA256
d1a69a078b42b37ca36b10a42004a1c24772eec70b2c81e99e29b7c8fe64d2c8

SHA512
a7db08e98daa5bd0d9c520736ce24bf43ad77818f16cdbe8f99d50f5bb8d26499a08fcd0e164121ce96c84518c2aea01027e685c6688f37f5ed91edf08465f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_A4E7.tmp.exe

Filesize
133KB

MD5
510be7b2655743c1816d28cf348f0605

SHA1
ee71ce07ed98a82c4d2b9dac1e7f1c6dabe06456

SHA256
a1fd1f4c66a5c748a43bf8aa670850ff0a4ec5941e6f91e1140b4c021ff259de

SHA512
c5714a24caac7870042fb8ac113eb4d8a9f71b1db43b47f9695a0274b5f8a4964225903d05b0e93738c4f1ba51928cd85b9585311b0ea74279e7d47664a10271

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_A4E7.tmp.exe

Filesize
133KB

MD5
510be7b2655743c1816d28cf348f0605

SHA1
ee71ce07ed98a82c4d2b9dac1e7f1c6dabe06456

SHA256
a1fd1f4c66a5c748a43bf8aa670850ff0a4ec5941e6f91e1140b4c021ff259de

SHA512
c5714a24caac7870042fb8ac113eb4d8a9f71b1db43b47f9695a0274b5f8a4964225903d05b0e93738c4f1ba51928cd85b9585311b0ea74279e7d47664a10271

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_A4E7.tmp.exe

Filesize
133KB

MD5
510be7b2655743c1816d28cf348f0605

SHA1
ee71ce07ed98a82c4d2b9dac1e7f1c6dabe06456

SHA256
a1fd1f4c66a5c748a43bf8aa670850ff0a4ec5941e6f91e1140b4c021ff259de

SHA512
c5714a24caac7870042fb8ac113eb4d8a9f71b1db43b47f9695a0274b5f8a4964225903d05b0e93738c4f1ba51928cd85b9585311b0ea74279e7d47664a10271

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_A814.tmp.exe

Filesize
897KB

MD5
2a7379159a848b79c2c572eb10111c90

SHA1
386edeaa78a8610ffc84b267c6f11cb66d13914d

SHA256
214cd649809bb59f310824dc79062b6da45f630063e9c81bea70d87de55eebe0

SHA512
480e34086e1d99bffebebc51537f3964366fbec49ab387eba9cb36507661ffe3d111c182a1e1e5c980a3df187ba26b2714f551ba5e4387bca567bbd3d5673f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_A814.tmp.exe

Filesize
897KB

MD5
2a7379159a848b79c2c572eb10111c90

SHA1
386edeaa78a8610ffc84b267c6f11cb66d13914d

SHA256
214cd649809bb59f310824dc79062b6da45f630063e9c81bea70d87de55eebe0

SHA512
480e34086e1d99bffebebc51537f3964366fbec49ab387eba9cb36507661ffe3d111c182a1e1e5c980a3df187ba26b2714f551ba5e4387bca567bbd3d5673f3e

Download Submit
memory/928-157-0x0000000073E70000-0x0000000074421000-memory.dmp

Filesize
5.7MB

Download
memory/928-153-0x0000000073E70000-0x0000000074421000-memory.dmp

Filesize
5.7MB

Download
memory/1656-159-0x0000000073E70000-0x0000000074421000-memory.dmp

Filesize
5.7MB

Download
memory/1656-155-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4484-161-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4632-139-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/4632-133-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/4632-132-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/4872-158-0x0000000073E70000-0x0000000074421000-memory.dmp

Filesize
5.7MB

Download
memory/4872-149-0x0000000073E70000-0x0000000074421000-memory.dmp

Filesize
5.7MB

Download
memory/4872-151-0x0000000073E70000-0x0000000074421000-memory.dmp

Filesize
5.7MB

Download
memory/5052-137-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/5052-135-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/5052-138-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/5096-152-0x0000000073E70000-0x0000000074421000-memory.dmp

Filesize
5.7MB

Download
memory/5096-150-0x0000000073E70000-0x0000000074421000-memory.dmp

Filesize
5.7MB

Download