5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
17/07/2023, 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e.exe
Size

203KB
MD5

d209d42e2d604e6018129634fc2a2f38
SHA1

931d1ab97dba24013e97ee6a9247e70b0bf0ef13
SHA256

5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e
SHA512

269b0822e8160693046f30539db2ff96281f004ad37356d16aba34d5eda122dc9a0684bc414724bf90acce484b767a0dce9b4ee590eb4e620c4a7d36f964d2ef
SSDEEP

6144:Dz1xOecgEnOxUwWz1w4mcH+dZvF4lBFusBQW:31seJzWz1l+LIb

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2664-54-0x0000000001330000-0x00000000013C7000-memory.dmp	upx
behavioral1/memory/2664-82-0x0000000001330000-0x00000000013C7000-memory.dmp	upx

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\System32\bootKAK.sys	setx.exe
File created	C:\Windows\System32\kbd103nu.sys	setx.exe
File created	C:\Windows\System32\PortableDeviceConnectApin2tS.sys	setx.exe
File created	C:\Windows\System32\javaws2E.sys	setx.exe
File created	C:\Windows\System32\perfi0119vI.sys	setx.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowRedSystem04.log	setx.exe
File opened for modification	C:\Windows\WindowsShell03108.log	5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e.exe
File opened for modification	C:\Windows\WindowSystemNewUpdate570.log	doskey.exe
File opened for modification	C:\Windows\WindowTerminalVaild580.log	doskey.exe
File opened for modification	C:\Windows\WindowsShell51242.log	doskey.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe
3036	setx.exe

Suspicious behavior: LoadsDriver 5 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e.exe
Token: SeDebugPrivilege	2296	doskey.exe
Token: SeIncBasePriorityPrivilege	2664	5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e.exe
Token: SeDebugPrivilege	2296	doskey.exe
Token: SeDebugPrivilege	2296	doskey.exe
Token: SeDebugPrivilege	2296	doskey.exe
Token: SeDebugPrivilege	3036	setx.exe
Token: SeDebugPrivilege	2296	doskey.exe
Token: SeDebugPrivilege	2296	doskey.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2296	2664	5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e.exe	28
PID 2664 wrote to memory of 2296	2664	5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e.exe	28
PID 2664 wrote to memory of 2296	2664	5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e.exe	28
PID 2664 wrote to memory of 2296	2664	5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e.exe	28
PID 2664 wrote to memory of 2296	2664	5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e.exe	28
PID 2664 wrote to memory of 2296	2664	5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e.exe	28
PID 2664 wrote to memory of 2296	2664	5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e.exe	28
PID 2664 wrote to memory of 2856	2664	5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e.exe	30
PID 2664 wrote to memory of 2856	2664	5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e.exe	30
PID 2664 wrote to memory of 2856	2664	5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e.exe	30
PID 2664 wrote to memory of 2856	2664	5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e.exe	30
PID 2296 wrote to memory of 3036	2296	doskey.exe	34
PID 2296 wrote to memory of 3036	2296	doskey.exe	34
PID 2296 wrote to memory of 3036	2296	doskey.exe	34
PID 2296 wrote to memory of 3036	2296	doskey.exe	34
PID 2296 wrote to memory of 3036	2296	doskey.exe	34
PID 2296 wrote to memory of 3036	2296	doskey.exe	34
PID 2296 wrote to memory of 3036	2296	doskey.exe	34

C:\Users\Admin\AppData\Local\Temp\5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e.exe
"C:\Users\Admin\AppData\Local\Temp\5a13091832ef2fd837c33acb44b97c37d4f1f412f31f093faf0ce83dcd7c314e.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\SysWOW64\doskey.exe
  "C:\Windows\SysWOW64\doskey.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\SysWOW64\setx.exe
    "C:\Windows\SysWOW64\setx.exe"
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3036
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\5A1309~1.EXE > nul
  2⤵
  PID:2856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\WindowRedSystem04.log

Filesize
5KB

MD5
41f0de636707bc70e06992fe7131e078

SHA1
ad6ec4d9c600d40606eaa9d5a50a31f2e54cbcce

SHA256
ac38d788285a4ff252f8e1ad50fee767803f96ef618a793bbc9c6fd084c6d348

SHA512
1376131851712cf6f48fe72151852de17b623f4325faa32bf896277331068aed4546c7698105624411fd9b04e36f60ab02e5a0848688ef90b030238a16674e6c

Download Submit
C:\Windows\WindowSystemNewUpdate570.log

Filesize
5KB

MD5
1705344f2b45b5691936a4c152f2cc78

SHA1
7998e5ae06ca752fcb8f7aef4ea354f9909fd49c

SHA256
f6db00b73df9161f6b8a954111375775fe9912b1a9a1e4769749fe31044ed259

SHA512
ea54f34e100e03dc032a20c1fc33fb5b4aa74842ec8f2d2c792cd03e17c75317a0903261f95637e37f15d84582f3abf492673c6a6e15f2832350af0a0e9736ea

Download Submit
memory/2296-109-0x0000000002DE0000-0x0000000002ED9000-memory.dmp

Filesize
996KB

Download
memory/2296-100-0x0000000002DE0000-0x0000000002ED9000-memory.dmp

Filesize
996KB

Download
memory/2296-62-0x0000000000080000-0x00000000000E7000-memory.dmp

Filesize
412KB

Download
memory/2296-64-0x0000000000210000-0x000000000022B000-memory.dmp

Filesize
108KB

Download
memory/2296-66-0x0000000000210000-0x000000000022B000-memory.dmp

Filesize
108KB

Download
memory/2296-68-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2296-74-0x0000000000210000-0x000000000022B000-memory.dmp

Filesize
108KB

Download
memory/2296-114-0x0000000000310000-0x0000000000348000-memory.dmp

Filesize
224KB

Download
memory/2296-111-0x0000000002DE0000-0x0000000002ED9000-memory.dmp

Filesize
996KB

Download
memory/2296-108-0x0000000002DE0000-0x0000000002ED9000-memory.dmp

Filesize
996KB

Download
memory/2296-60-0x0000000000080000-0x00000000000E7000-memory.dmp

Filesize
412KB

Download
memory/2296-176-0x0000000002DE0000-0x0000000002ED9000-memory.dmp

Filesize
996KB

Download
memory/2296-305-0x0000000006EE0000-0x0000000007263000-memory.dmp

Filesize
3.5MB

Download
memory/2296-123-0x0000000004340000-0x0000000004671000-memory.dmp

Filesize
3.2MB

Download
memory/2296-138-0x0000000002DE0000-0x0000000002ED9000-memory.dmp

Filesize
996KB

Download
memory/2296-295-0x0000000006EE0000-0x0000000007263000-memory.dmp

Filesize
3.5MB

Download
memory/2296-292-0x0000000006EE0000-0x0000000007263000-memory.dmp

Filesize
3.5MB

Download
memory/2296-163-0x0000000002DE0000-0x0000000002ED9000-memory.dmp

Filesize
996KB

Download
memory/2296-160-0x0000000002DE0000-0x0000000002ED9000-memory.dmp

Filesize
996KB

Download
memory/2296-58-0x0000000000080000-0x00000000000E7000-memory.dmp

Filesize
412KB

Download
memory/2296-56-0x0000000000080000-0x00000000000E7000-memory.dmp

Filesize
412KB

Download
memory/2296-169-0x0000000002DE0000-0x0000000002ED9000-memory.dmp

Filesize
996KB

Download
memory/2296-235-0x0000000002DE0000-0x0000000002ED9000-memory.dmp

Filesize
996KB

Download
memory/2664-82-0x0000000001330000-0x00000000013C7000-memory.dmp

Filesize
604KB

Download
memory/2664-54-0x0000000001330000-0x00000000013C7000-memory.dmp

Filesize
604KB

Download
memory/3036-250-0x0000000010000000-0x0000000010444000-memory.dmp

Filesize
4.3MB

Download
memory/3036-188-0x0000000010000000-0x0000000010444000-memory.dmp

Filesize
4.3MB

Download
memory/3036-190-0x0000000010000000-0x0000000010444000-memory.dmp

Filesize
4.3MB

Download
memory/3036-171-0x0000000000120000-0x000000000013B000-memory.dmp

Filesize
108KB

Download
memory/3036-245-0x0000000000120000-0x000000000013B000-memory.dmp

Filesize
108KB

Download
memory/3036-174-0x0000000010000000-0x0000000010444000-memory.dmp

Filesize
4.3MB

Download
memory/3036-165-0x00000000001F0000-0x0000000000641000-memory.dmp

Filesize
4.3MB

Download
memory/3036-253-0x0000000010000000-0x0000000010444000-memory.dmp

Filesize
4.3MB

Download
memory/3036-164-0x00000000001F0000-0x0000000000641000-memory.dmp

Filesize
4.3MB

Download
memory/3036-159-0x00000000001F0000-0x0000000000641000-memory.dmp

Filesize
4.3MB

Download
memory/3036-156-0x00000000001F0000-0x0000000000641000-memory.dmp

Filesize
4.3MB

Download
memory/3036-168-0x0000000000120000-0x000000000013B000-memory.dmp

Filesize
108KB

Download