Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-08-2023 11:35

General

  • Target

    b66f351c35212c7a265272d27aa09656.exe

  • Size

    4.4MB

  • MD5

    b66f351c35212c7a265272d27aa09656

  • SHA1

    c2994b2969f315b189a151d545b35a2c8ed6a2f9

  • SHA256

    ba4c8e065f601de46ae7844e81921c68726d09345f3db13fb6e3f5ea2d413dde

  • SHA512

    82ac249a9024085be3bd071682d15054696b0cd61a8b8a85d77c7ff4cd7703124ab07a3446b1b7b69015b5a30643f88030bef908644c88256d1784f992207fcb

  • SSDEEP

    98304:sParA5bJxdz0l3YIMFQxMKsVCyGPPUpGieNjBVTRB7OQ8TZMQ7caYS3u:6a6rwlLSQxMKeiVRpSnYvIu

Score
7/10
upx

Malware Config

Signatures

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Executes dropped EXE 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b66f351c35212c7a265272d27aa09656.exe
    "C:\Users\Admin\AppData\Local\Temp\b66f351c35212c7a265272d27aa09656.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4776
    • C:\Windows\system32\cmd.exe
      cmd /C nPandaVPN.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Users\Admin\AppData\Local\Temp\nPandaVPN.exe
        nPandaVPN.exe
        3⤵
        • Executes dropped EXE
        PID:3360
    • C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nPandaVPN.exe

    Filesize

    2.1MB

    MD5

    c83323d126469b0eaab04876edd391a3

    SHA1

    dc9b1aeb0535cc30eff5f298e81de1476ec8e02a

    SHA256

    318f8b901a0c9226f41409e97c4167cdf1836508f969ab13b8e004b4f6c9caac

    SHA512

    edde3c33d83b5ba1d527073afbf99568737a82d1142003b7163d5c037e536761a7472b0245a85e0dcab9c89790a82a7470a57b2f1829e75875a92b8495825487

  • C:\Users\Admin\AppData\Local\Temp\nPandaVPN.exe

    Filesize

    2.1MB

    MD5

    c83323d126469b0eaab04876edd391a3

    SHA1

    dc9b1aeb0535cc30eff5f298e81de1476ec8e02a

    SHA256

    318f8b901a0c9226f41409e97c4167cdf1836508f969ab13b8e004b4f6c9caac

    SHA512

    edde3c33d83b5ba1d527073afbf99568737a82d1142003b7163d5c037e536761a7472b0245a85e0dcab9c89790a82a7470a57b2f1829e75875a92b8495825487

  • memory/1684-145-0x0000025680FF0000-0x00000256814A6000-memory.dmp

    Filesize

    4.7MB

  • memory/3360-138-0x0000000074890000-0x0000000075040000-memory.dmp

    Filesize

    7.7MB

  • memory/3360-139-0x0000000000150000-0x0000000000364000-memory.dmp

    Filesize

    2.1MB

  • memory/3360-140-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

    Filesize

    64KB

  • memory/3360-146-0x0000000074890000-0x0000000075040000-memory.dmp

    Filesize

    7.7MB

  • memory/4776-133-0x00007FF71D4F0000-0x00007FF71E101000-memory.dmp

    Filesize

    12.1MB

  • memory/4776-147-0x00007FF71D4F0000-0x00007FF71E101000-memory.dmp

    Filesize

    12.1MB