42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595

Analysis

max time kernel
3s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18/05/2023, 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe
Size

2.9MB
MD5

d88534462d1c0c26ceb886c050b49fb4
SHA1

2fe4f66cec538632a4c55b9439a3f9af70559505
SHA256

42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595
SHA512

1b47386e2904cf6c526c490cd9858389e3af81c7fb5248367424330c1fa2428e9b52cb20aff8471b3924ae54236dd25c0144356816f2c6658bb1a87d1b156dd1
SSDEEP

49152:3+SW6KVcadcY/tE+3fKhOmcK8bWfJE+kw0ypO5V4Vp0:3+5HEA8QJWfS+kFH5e

Score

7^/10

persistence upx

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1772	42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe
1772	42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe
1772	42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1772-142-0x0000000002CE0000-0x000000000323D000-memory.dmp	upx
behavioral2/memory/1772-152-0x0000000002CE0000-0x000000000323D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe"	42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1772	42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe
1772	42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4932	wmic.exe
Token: SeSecurityPrivilege	4932	wmic.exe
Token: SeTakeOwnershipPrivilege	4932	wmic.exe
Token: SeLoadDriverPrivilege	4932	wmic.exe
Token: SeSystemProfilePrivilege	4932	wmic.exe
Token: SeSystemtimePrivilege	4932	wmic.exe
Token: SeProfSingleProcessPrivilege	4932	wmic.exe
Token: SeIncBasePriorityPrivilege	4932	wmic.exe
Token: SeCreatePagefilePrivilege	4932	wmic.exe
Token: SeBackupPrivilege	4932	wmic.exe
Token: SeRestorePrivilege	4932	wmic.exe
Token: SeShutdownPrivilege	4932	wmic.exe
Token: SeDebugPrivilege	4932	wmic.exe
Token: SeSystemEnvironmentPrivilege	4932	wmic.exe
Token: SeRemoteShutdownPrivilege	4932	wmic.exe
Token: SeUndockPrivilege	4932	wmic.exe
Token: SeManageVolumePrivilege	4932	wmic.exe
Token: 33	4932	wmic.exe
Token: 34	4932	wmic.exe
Token: 35	4932	wmic.exe
Token: 36	4932	wmic.exe
Token: SeIncreaseQuotaPrivilege	4716	wmic.exe
Token: SeSecurityPrivilege	4716	wmic.exe
Token: SeTakeOwnershipPrivilege	4716	wmic.exe
Token: SeLoadDriverPrivilege	4716	wmic.exe
Token: SeSystemProfilePrivilege	4716	wmic.exe
Token: SeSystemtimePrivilege	4716	wmic.exe
Token: SeProfSingleProcessPrivilege	4716	wmic.exe
Token: SeIncBasePriorityPrivilege	4716	wmic.exe
Token: SeCreatePagefilePrivilege	4716	wmic.exe
Token: SeBackupPrivilege	4716	wmic.exe
Token: SeRestorePrivilege	4716	wmic.exe
Token: SeShutdownPrivilege	4716	wmic.exe
Token: SeDebugPrivilege	4716	wmic.exe
Token: SeSystemEnvironmentPrivilege	4716	wmic.exe
Token: SeRemoteShutdownPrivilege	4716	wmic.exe
Token: SeUndockPrivilege	4716	wmic.exe
Token: SeManageVolumePrivilege	4716	wmic.exe
Token: 33	4716	wmic.exe
Token: 34	4716	wmic.exe
Token: 35	4716	wmic.exe
Token: 36	4716	wmic.exe
Token: SeIncreaseQuotaPrivilege	4856	wmic.exe
Token: SeSecurityPrivilege	4856	wmic.exe
Token: SeTakeOwnershipPrivilege	4856	wmic.exe
Token: SeLoadDriverPrivilege	4856	wmic.exe
Token: SeSystemProfilePrivilege	4856	wmic.exe
Token: SeSystemtimePrivilege	4856	wmic.exe
Token: SeProfSingleProcessPrivilege	4856	wmic.exe
Token: SeIncBasePriorityPrivilege	4856	wmic.exe
Token: SeCreatePagefilePrivilege	4856	wmic.exe
Token: SeBackupPrivilege	4856	wmic.exe
Token: SeRestorePrivilege	4856	wmic.exe
Token: SeShutdownPrivilege	4856	wmic.exe
Token: SeDebugPrivilege	4856	wmic.exe
Token: SeSystemEnvironmentPrivilege	4856	wmic.exe
Token: SeRemoteShutdownPrivilege	4856	wmic.exe
Token: SeUndockPrivilege	4856	wmic.exe
Token: SeManageVolumePrivilege	4856	wmic.exe
Token: 33	4856	wmic.exe
Token: 34	4856	wmic.exe
Token: 35	4856	wmic.exe
Token: 36	4856	wmic.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 4932	1772	42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe	79
PID 1772 wrote to memory of 4932	1772	42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe	79
PID 1772 wrote to memory of 4932	1772	42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe	79
PID 1772 wrote to memory of 4856	1772	42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe	78
PID 1772 wrote to memory of 4856	1772	42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe	78
PID 1772 wrote to memory of 4856	1772	42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe	78
PID 1772 wrote to memory of 4716	1772	42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe	77
PID 1772 wrote to memory of 4716	1772	42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe	77
PID 1772 wrote to memory of 4716	1772	42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe	77

C:\Users\Admin\AppData\Local\Temp\42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe
"C:\Users\Admin\AppData\Local\Temp\42ebdd7af0e33c70e9f914662a60f2ac7ee44f87633290fb2deb0809564e7595.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic diskdrive get serialNumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4716
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic baseboard get serialnumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4856
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic cpu get processorid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\evb6FF6.tmp

Filesize
1KB

MD5
7cdb8cb8af957efc66711eb30450d71e

SHA1
66f313453703aa5f622e12f1cb1d4dae0e55b1a9

SHA256
bce34e4b736ce0f998d70b6a67543b1412b2b29c0c7ad9f5d95ff9488356e6b4

SHA512
5ad7aad720081944297bc5af16c06c97874d44958d4c2f455bf71dc80dc61bbfe5e7d43586fc7423f45004718d6aeb2f6a248a5da017d0fba5661e4e8bfac430

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb7064.tmp

Filesize
1KB

MD5
0d276c6636ee961ec9c68fbea4638993

SHA1
969f8ee18a0280e7978f50548482c42434c2cbac

SHA256
7c0228edb377e3c550df7b801d28ddc34849958fbf5e4b249049663cc6154e62

SHA512
498dd72634aea94ff1e105e65edf65a14856543482e7c3006984359e8c9d5240e464c4505e977c965ae78558e83e5c01100bdb400e4fbbc80ff3aceff62102a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb70F2.tmp

Filesize
1KB

MD5
4b956f9a4adb363fab263777a059134a

SHA1
a7d8005aab5a635158fd593439b27a477b2bd1a8

SHA256
f9d971f7f83d4a12fc04379237c8a81f9f0a6002557d22ce01415b6ec817f81a

SHA512
68c58ab196be82ac7bd803413cfff6eb8cbe540fa96d7ab80dd3ba37636f14731335a039bd2129409789cfc7f70c598ee355eff5c34b840cb9d943fcf05c8f9c

Download Submit
memory/1772-162-0x0000000003250000-0x00000000032CB000-memory.dmp

Filesize
492KB

Download
memory/1772-179-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/1772-147-0x0000000003250000-0x00000000032CB000-memory.dmp

Filesize
492KB

Download
memory/1772-149-0x0000000003250000-0x00000000032CB000-memory.dmp

Filesize
492KB

Download
memory/1772-137-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1772-151-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1772-153-0x0000000003250000-0x00000000032CB000-memory.dmp

Filesize
492KB

Download
memory/1772-152-0x0000000002CE0000-0x000000000323D000-memory.dmp

Filesize
5.4MB

Download
memory/1772-155-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1772-154-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/1772-157-0x0000000003250000-0x00000000032CB000-memory.dmp

Filesize
492KB

Download
memory/1772-158-0x0000000003250000-0x00000000032CB000-memory.dmp

Filesize
492KB

Download
memory/1772-159-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/1772-133-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/1772-142-0x0000000002CE0000-0x000000000323D000-memory.dmp

Filesize
5.4MB

Download
memory/1772-170-0x0000000003250000-0x00000000032CB000-memory.dmp

Filesize
492KB

Download
memory/1772-166-0x0000000003250000-0x00000000032CB000-memory.dmp

Filesize
492KB

Download
memory/1772-174-0x0000000003250000-0x00000000032CB000-memory.dmp

Filesize
492KB

Download
memory/1772-178-0x0000000003250000-0x00000000032CB000-memory.dmp

Filesize
492KB

Download
memory/1772-167-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/1772-182-0x0000000003250000-0x00000000032CB000-memory.dmp

Filesize
492KB

Download
memory/1772-186-0x0000000003250000-0x00000000032CB000-memory.dmp

Filesize
492KB

Download
memory/1772-190-0x0000000003250000-0x00000000032CB000-memory.dmp

Filesize
492KB

Download
memory/1772-194-0x0000000003250000-0x00000000032CB000-memory.dmp

Filesize
492KB

Download
memory/1772-198-0x0000000003250000-0x00000000032CB000-memory.dmp

Filesize
492KB

Download
memory/1772-202-0x0000000003250000-0x00000000032CB000-memory.dmp

Filesize
492KB

Download
memory/1772-206-0x0000000003250000-0x00000000032CB000-memory.dmp

Filesize
492KB

Download
memory/1772-208-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1772-210-0x0000000003250000-0x00000000032CB000-memory.dmp

Filesize
492KB

Download