97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12

Resubmissions

26/12/2022, 02:17

221226-cq1taafe7t 8

26/12/2022, 01:37

221226-b16lvafe6s 8

26/12/2022, 01:34

221226-by65lacd25 8

25/12/2022, 04:48

221225-fff8nsbb39 10

Analysis

max time kernel
30s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25/12/2022, 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12.exe
Size

1.6MB
MD5

5015b3096f5bf7039c82684c2d88bf2c
SHA1

24aada32e2ac068d737866b6561e64a20f10f65e
SHA256

97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12
SHA512

808031a37f169702a6e495bbd7597a8a2dd6c7e0d9690d35b4b822aff59987db5674bea0a2da042343313463860f8ef987276a8f92fc670b541e091c99f5045b
SSDEEP

49152:g2LdRphDBhCTGFMWDumigm0pCiO5BAD70TfhxWYAhiISV:g2JRphjZM2UCGrIm

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1732	Engine.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a00000001230e-55.dat	upx
behavioral1/files/0x000a00000001230e-57.dat	upx
behavioral1/memory/1732-61-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral1/memory/1732-71-0x0000000000400000-0x0000000000558000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
1204	97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1492	powershell.exe
1492	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1492	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 1732	1204	97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12.exe	28
PID 1204 wrote to memory of 1732	1204	97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12.exe	28
PID 1204 wrote to memory of 1732	1204	97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12.exe	28
PID 1204 wrote to memory of 1732	1204	97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12.exe	28
PID 1204 wrote to memory of 1732	1204	97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12.exe	28
PID 1204 wrote to memory of 1732	1204	97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12.exe	28
PID 1204 wrote to memory of 1732	1204	97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12.exe	28
PID 1732 wrote to memory of 872	1732	Engine.exe	29
PID 1732 wrote to memory of 872	1732	Engine.exe	29
PID 1732 wrote to memory of 872	1732	Engine.exe	29
PID 1732 wrote to memory of 872	1732	Engine.exe	29
PID 872 wrote to memory of 432	872	cmd.exe	31
PID 872 wrote to memory of 432	872	cmd.exe	31
PID 872 wrote to memory of 432	872	cmd.exe	31
PID 872 wrote to memory of 432	872	cmd.exe	31
PID 432 wrote to memory of 1492	432	cmd.exe	32
PID 432 wrote to memory of 1492	432	cmd.exe	32
PID 432 wrote to memory of 1492	432	cmd.exe	32
PID 432 wrote to memory of 1492	432	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12.exe
"C:\Users\Admin\AppData\Local\Temp\97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\SETUP_33771\Engine.exe
  C:\Users\Admin\AppData\Local\Temp\SETUP_33771\Engine.exe /TH_ID=_1344 /OriginExe="C:\Users\Admin\AppData\Local\Temp\97c5a2a43d3d301f94d6226e60e12b08f04ce416ba2d1b93fa98b26fa9783e12.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd < 5
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:872
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:432
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell get-process avastui
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SETUP_33771\00000#3

Filesize
872KB

MD5
9cd9369d3dc8824248464570a212e564

SHA1
a9880b7367c0c1e7a560fd9bc68c7561847d65d8

SHA256
cd1408c1e426684ffbe76ff868ed7e9cf0a56617dc2817243c9314653b1c3cdf

SHA512
64bf6265cde11d0f4ab36a6178b5aa2239468871f7b02513b7b9aa9721e8e217e87316e21acc951ea2c99bb194bb6f278ccef98fe127cb65407f85d150c71eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_33771\00001#5

Filesize
12KB

MD5
766ec43b82895b93ac97641978856551

SHA1
af4184b1ea5a2314773cbb85aa6bc9c21f41aa87

SHA256
63e7a1799d65555bf0fef6b3b7ffe388657f8010d17f6ec73a16d8804ae75d34

SHA512
597bd5019d92d616b8e86d246770e9b6dfa40cf2d3c70144f9efe9bbacd50950623bbb167b1dc54b5198e917a128839ca93edc9019ab5f1042649c4a13e44611

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_33771\00002#7

Filesize
1.5MB

MD5
268a482ed5ef9f3209bec71d291a19e7

SHA1
11e94a6f5360dabcd60a2329b86ec28c2e8ca38c

SHA256
1921ce205f4ef1a01a0c5dd326499dc26d3f9588888c97d59aa42917ba053bed

SHA512
9d43663903c23777b5e7408b73fea94885f07019a9cecc95b43641fb2712e1187d0bdef8bc5323667535f3f6c77ae8b587d6c6baa09a2b05ab420b2501455beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_33771\Engine.exe

Filesize
392KB

MD5
a7a99a201774531d761f6aac2651a9df

SHA1
b122ae368c4bf103e959a6ebb54ddb310117ab96

SHA256
e6e73497e85e9ece4c92ac7d49e07b9d55e932ba2d9e5789b94b95a9841ee524

SHA512
056504da2afeed547a4123ac8c38b35291b7dc0126fb638ae304eee802ac572715f9d608e9f1655788a030f488354741ee27c805434111c8e915cf841c0892f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_33771\Modern_Icon.bmp

Filesize
7KB

MD5
1dd88f67f029710d5c5858a6293a93f1

SHA1
3e5ef66613415fe9467b2a24ccc27d8f997e7df6

SHA256
b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

SHA512
7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_33771\Setup.txt

Filesize
2KB

MD5
cae83309280eb1febee041b70be024fd

SHA1
c3a773b4c1430dcbabcc7687a98aaccf12710443

SHA256
a3e3ef834ab038542f3ba5bfbae89d63bb147c270663ecbb0420b1a68e1d7255

SHA512
e1bdcf17fd22f55c66e4fc99b202cdc27d6135308158739cdcca519d5a1b3ae28e3c4d1a018b47d600410b91b779d468b113ad8e9fd583e589567abf141b3949

Download Submit
\Users\Admin\AppData\Local\Temp\SETUP_33771\Engine.exe

Filesize
392KB

MD5
a7a99a201774531d761f6aac2651a9df

SHA1
b122ae368c4bf103e959a6ebb54ddb310117ab96

SHA256
e6e73497e85e9ece4c92ac7d49e07b9d55e932ba2d9e5789b94b95a9841ee524

SHA512
056504da2afeed547a4123ac8c38b35291b7dc0126fb638ae304eee802ac572715f9d608e9f1655788a030f488354741ee27c805434111c8e915cf841c0892f1

Download Submit
memory/1204-60-0x0000000001E40000-0x0000000001F98000-memory.dmp

Filesize
1.3MB

Download
memory/1204-54-0x0000000076391000-0x0000000076393000-memory.dmp

Filesize
8KB

Download
memory/1492-70-0x0000000073AB0000-0x000000007405B000-memory.dmp

Filesize
5.7MB

Download
memory/1732-61-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1732-71-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download