8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8

Analysis

max time kernel
41s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 05:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe
Size

168KB
MD5

85766bda197ca4f52708411a0b3573e6
SHA1

676eb274925daa5dd41ec860dad0d200ddbbc6cf
SHA256

8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8
SHA512

4115b6efbe7f474e3a1647aed963df07e4dca74fb211ee8f76ad96dd43444207ad46b2c060fb0d90ba2c0359c4a9112bac090f5620d1baa12a59c82358aed20e
SSDEEP

3072:Y/j6oIMjrbikYeXQXn0gT91jI7WCAtTDjiu5i1jMbW:Y/jHIMjZYHBT91jsmT5RbW

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1804-56-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral1/memory/1804-58-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral1/memory/1804-59-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral1/memory/1804-62-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral1/memory/1804-63-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral1/memory/1804-127-0x0000000000400000-0x000000000043F000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1932 set thread context of 1804	1932	8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe	27

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1804	8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe
1804	8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1804	8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe
Token: SeDebugPrivilege	1804	8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1804	1932	8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe	27
PID 1932 wrote to memory of 1804	1932	8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe	27
PID 1932 wrote to memory of 1804	1932	8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe	27
PID 1932 wrote to memory of 1804	1932	8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe	27
PID 1932 wrote to memory of 1804	1932	8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe	27
PID 1932 wrote to memory of 1804	1932	8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe	27
PID 1932 wrote to memory of 1804	1932	8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe	27
PID 1932 wrote to memory of 1804	1932	8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe	27
PID 1804 wrote to memory of 1256	1804	8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe	14
PID 1804 wrote to memory of 372	1804	8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe	5
PID 1804 wrote to memory of 420	1804	8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe	3
PID 1804 wrote to memory of 476	1804	8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe	1
PID 1804 wrote to memory of 484	1804	8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe	8
PID 1804 wrote to memory of 600	1804	8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe	26
PID 1804 wrote to memory of 676	1804	8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe	25
PID 1804 wrote to memory of 764	1804	8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe	24
PID 1804 wrote to memory of 824	1804	8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe	23
PID 1804 wrote to memory of 860	1804	8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe	22
PID 1804 wrote to memory of 888	1804	8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe	21
PID 1804 wrote to memory of 300	1804	8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe	19
PID 1804 wrote to memory of 280	1804	8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe	18
PID 1804 wrote to memory of 1056	1804	8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe	17
PID 1804 wrote to memory of 1156	1804	8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe	16
PID 1804 wrote to memory of 1228	1804	8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe	15
PID 1804 wrote to memory of 1256	1804	8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe	14
PID 1804 wrote to memory of 1632	1804	8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe	12
PID 1804 wrote to memory of 1588	1804	8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe	11
PID 1804 wrote to memory of 1116	1804	8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe	9

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:484

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1116

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:1588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
1⤵
PID:1632

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe
  "C:\Users\Admin\AppData\Local\Temp\8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe
    "C:\Users\Admin\AppData\Local\Temp\8d79fdcc2c9dde4be50d9d4813e750dd11b201963af60efb63309920acdd60b8.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1804

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1228

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1056

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
1⤵
PID:300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:860

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
1⤵
PID:824

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1256-112-0x000000000EA70000-0x000000000EABD000-memory.dmp

Filesize
308KB

Download
memory/1804-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1804-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1804-58-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1804-59-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1804-62-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1804-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1804-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1932-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download