42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595

Analysis

max time kernel
2s
max time network
154s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
18-05-2023 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe
Size

2.9MB
MD5

d88534462d1c0c26ceb886c050b49fb4
SHA1

2fe4f66cec538632a4c55b9439a3f9af70559505
SHA256

42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595
SHA512

1b47386e2904cf6c526c490cd9858389e3af81c7fb5248367424330c1fa2428e9b52cb20aff8471b3924ae54236dd25c0144356816f2c6658bb1a87d1b156dd1
SSDEEP

49152:3+SW6KVcadcY/tE+3fKhOmcK8bWfJE+kw0ypO5V4Vp0:3+5HEA8QJWfS+kFH5e

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1084-60-0x0000000002660000-0x0000000002BBD000-memory.dmp	upx
behavioral1/memory/1084-70-0x0000000002660000-0x0000000002BBD000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe"	42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1084	42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	472	wmic.exe
Token: SeSecurityPrivilege	472	wmic.exe
Token: SeTakeOwnershipPrivilege	472	wmic.exe
Token: SeLoadDriverPrivilege	472	wmic.exe
Token: SeSystemProfilePrivilege	472	wmic.exe
Token: SeSystemtimePrivilege	472	wmic.exe
Token: SeProfSingleProcessPrivilege	472	wmic.exe
Token: SeIncBasePriorityPrivilege	472	wmic.exe
Token: SeCreatePagefilePrivilege	472	wmic.exe
Token: SeBackupPrivilege	472	wmic.exe
Token: SeRestorePrivilege	472	wmic.exe
Token: SeShutdownPrivilege	472	wmic.exe
Token: SeDebugPrivilege	472	wmic.exe
Token: SeSystemEnvironmentPrivilege	472	wmic.exe
Token: SeRemoteShutdownPrivilege	472	wmic.exe
Token: SeUndockPrivilege	472	wmic.exe
Token: SeManageVolumePrivilege	472	wmic.exe
Token: 33	472	wmic.exe
Token: 34	472	wmic.exe
Token: 35	472	wmic.exe
Token: SeIncreaseQuotaPrivilege	1016	wmic.exe
Token: SeSecurityPrivilege	1016	wmic.exe
Token: SeTakeOwnershipPrivilege	1016	wmic.exe
Token: SeLoadDriverPrivilege	1016	wmic.exe
Token: SeSystemProfilePrivilege	1016	wmic.exe
Token: SeSystemtimePrivilege	1016	wmic.exe
Token: SeProfSingleProcessPrivilege	1016	wmic.exe
Token: SeIncBasePriorityPrivilege	1016	wmic.exe
Token: SeCreatePagefilePrivilege	1016	wmic.exe
Token: SeBackupPrivilege	1016	wmic.exe
Token: SeRestorePrivilege	1016	wmic.exe
Token: SeShutdownPrivilege	1016	wmic.exe
Token: SeDebugPrivilege	1016	wmic.exe
Token: SeSystemEnvironmentPrivilege	1016	wmic.exe
Token: SeRemoteShutdownPrivilege	1016	wmic.exe
Token: SeUndockPrivilege	1016	wmic.exe
Token: SeManageVolumePrivilege	1016	wmic.exe
Token: 33	1016	wmic.exe
Token: 34	1016	wmic.exe
Token: 35	1016	wmic.exe
Token: SeIncreaseQuotaPrivilege	1716	wmic.exe
Token: SeSecurityPrivilege	1716	wmic.exe
Token: SeTakeOwnershipPrivilege	1716	wmic.exe
Token: SeLoadDriverPrivilege	1716	wmic.exe
Token: SeSystemProfilePrivilege	1716	wmic.exe
Token: SeSystemtimePrivilege	1716	wmic.exe
Token: SeProfSingleProcessPrivilege	1716	wmic.exe
Token: SeIncBasePriorityPrivilege	1716	wmic.exe
Token: SeCreatePagefilePrivilege	1716	wmic.exe
Token: SeBackupPrivilege	1716	wmic.exe
Token: SeRestorePrivilege	1716	wmic.exe
Token: SeShutdownPrivilege	1716	wmic.exe
Token: SeDebugPrivilege	1716	wmic.exe
Token: SeSystemEnvironmentPrivilege	1716	wmic.exe
Token: SeRemoteShutdownPrivilege	1716	wmic.exe
Token: SeUndockPrivilege	1716	wmic.exe
Token: SeManageVolumePrivilege	1716	wmic.exe
Token: 33	1716	wmic.exe
Token: 34	1716	wmic.exe
Token: 35	1716	wmic.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 1716	1084	42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe	31
PID 1084 wrote to memory of 1716	1084	42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe	31
PID 1084 wrote to memory of 1716	1084	42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe	31
PID 1084 wrote to memory of 1716	1084	42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe	31
PID 1084 wrote to memory of 1016	1084	42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe	26
PID 1084 wrote to memory of 1016	1084	42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe	26
PID 1084 wrote to memory of 1016	1084	42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe	26
PID 1084 wrote to memory of 1016	1084	42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe	26
PID 1084 wrote to memory of 472	1084	42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe	30
PID 1084 wrote to memory of 472	1084	42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe	30
PID 1084 wrote to memory of 472	1084	42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe	30
PID 1084 wrote to memory of 472	1084	42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe	30

C:\Users\Admin\AppData\Local\Temp\42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe
"C:\Users\Admin\AppData\Local\Temp\42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic baseboard get serialnumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1016
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic cpu get processorid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:472
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic diskdrive get serialNumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1084-56-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1084-60-0x0000000002660000-0x0000000002BBD000-memory.dmp

Filesize
5.4MB

Download
memory/1084-66-0x00000000006B0000-0x000000000072B000-memory.dmp

Filesize
492KB

Download
memory/1084-64-0x00000000006B0000-0x000000000072B000-memory.dmp

Filesize
492KB

Download
memory/1084-69-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1084-72-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/1084-71-0x00000000006B0000-0x000000000072B000-memory.dmp

Filesize
492KB

Download
memory/1084-70-0x0000000002660000-0x0000000002BBD000-memory.dmp

Filesize
5.4MB

Download
memory/1084-68-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/1084-73-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/1084-74-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1084-76-0x00000000006B0000-0x000000000072B000-memory.dmp

Filesize
492KB

Download
memory/1084-77-0x00000000006B0000-0x000000000072B000-memory.dmp

Filesize
492KB

Download
memory/1084-81-0x00000000006B0000-0x000000000072B000-memory.dmp

Filesize
492KB

Download
memory/1084-83-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1084-85-0x00000000006B0000-0x000000000072B000-memory.dmp

Filesize
492KB

Download
memory/1084-89-0x00000000006B0000-0x000000000072B000-memory.dmp

Filesize
492KB

Download
memory/1084-93-0x00000000006B0000-0x000000000072B000-memory.dmp

Filesize
492KB

Download
memory/1084-97-0x00000000006B0000-0x000000000072B000-memory.dmp

Filesize
492KB

Download
memory/1084-98-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/1084-101-0x00000000006B0000-0x000000000072B000-memory.dmp

Filesize
492KB

Download
memory/1084-105-0x00000000006B0000-0x000000000072B000-memory.dmp

Filesize
492KB

Download
memory/1084-109-0x00000000006B0000-0x000000000072B000-memory.dmp

Filesize
492KB

Download
memory/1084-111-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1084-113-0x00000000006B0000-0x000000000072B000-memory.dmp

Filesize
492KB

Download
memory/1084-117-0x00000000006B0000-0x000000000072B000-memory.dmp

Filesize
492KB

Download
memory/1084-121-0x00000000006B0000-0x000000000072B000-memory.dmp

Filesize
492KB

Download
memory/1084-123-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1084-125-0x00000000006B0000-0x000000000072B000-memory.dmp

Filesize
492KB

Download