392fe355879b88fe291e48ff656d212bda2b08240922be70d77cf55151b17a05

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2023, 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

392fe355879b88fe291e48ff656d212bda2b08240922be70d77cf55151b17a05.exe
Size

3.0MB
MD5

0a8b50005ae3d3f20d23d8f04ba46b75
SHA1

8c963322fda3f4660a0a5a70aaff27d3900610b1
SHA256

392fe355879b88fe291e48ff656d212bda2b08240922be70d77cf55151b17a05
SHA512

1eb1a74b613ead9f7cf910ec1af43932319e390856f8cc9a2e3d83d0ed5ee7c8b2911ec52d26969b99d4f971a9a790444bc8baddeb0d45de4c1674035d43c470
SSDEEP

49152:kzR2Acn9CkZ0X2hff/yC3G/rzzvNts87++yINgdj:kxyrpR3fezjL++yINM

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1968-0-0x0000000000440000-0x00000000004D7000-memory.dmp	upx
behavioral2/memory/1968-28-0x0000000000440000-0x00000000004D7000-memory.dmp	upx

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\System32\directmanipulationG7n.sys	wscadminui.exe
File created	C:\Windows\System32\chs_singlechar_pinyintFV.sys	wscadminui.exe
File created	C:\Windows\System32\rasplapyqB.sys	wscadminui.exe
File created	C:\Windows\System32\KBDINGUJGg.sys	wscadminui.exe
File created	C:\Windows\System32\WinFaxEInA.sys	wscadminui.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowTerminalVaild27.log	gpupdate.exe
File opened for modification	C:\Windows\WindowMicrosoftNET02.log	gpupdate.exe
File opened for modification	C:\Windows\WindowsShell48777.log	gpupdate.exe
File opened for modification	C:\Windows\WindowRedSystem11.log	wscadminui.exe
File opened for modification	C:\Windows\WindowsShell35851.log	392fe355879b88fe291e48ff656d212bda2b08240922be70d77cf55151b17a05.exe
File opened for modification	C:\Windows\WindowSystemNewUpdate462.log	gpupdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe
3460	wscadminui.exe

Suspicious behavior: LoadsDriver 5 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1968	392fe355879b88fe291e48ff656d212bda2b08240922be70d77cf55151b17a05.exe
Token: SeDebugPrivilege	1496	gpupdate.exe
Token: SeIncBasePriorityPrivilege	1968	392fe355879b88fe291e48ff656d212bda2b08240922be70d77cf55151b17a05.exe
Token: SeDebugPrivilege	1496	gpupdate.exe
Token: SeDebugPrivilege	1496	gpupdate.exe
Token: SeDebugPrivilege	1496	gpupdate.exe
Token: SeDebugPrivilege	1496	gpupdate.exe
Token: SeDebugPrivilege	3460	wscadminui.exe
Token: SeDebugPrivilege	1496	gpupdate.exe
Token: SeDebugPrivilege	1496	gpupdate.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 1496	1968	392fe355879b88fe291e48ff656d212bda2b08240922be70d77cf55151b17a05.exe	81
PID 1968 wrote to memory of 1496	1968	392fe355879b88fe291e48ff656d212bda2b08240922be70d77cf55151b17a05.exe	81
PID 1968 wrote to memory of 1496	1968	392fe355879b88fe291e48ff656d212bda2b08240922be70d77cf55151b17a05.exe	81
PID 1968 wrote to memory of 1496	1968	392fe355879b88fe291e48ff656d212bda2b08240922be70d77cf55151b17a05.exe	81
PID 1968 wrote to memory of 1496	1968	392fe355879b88fe291e48ff656d212bda2b08240922be70d77cf55151b17a05.exe	81
PID 1968 wrote to memory of 1496	1968	392fe355879b88fe291e48ff656d212bda2b08240922be70d77cf55151b17a05.exe	81
PID 1968 wrote to memory of 4992	1968	392fe355879b88fe291e48ff656d212bda2b08240922be70d77cf55151b17a05.exe	88
PID 1968 wrote to memory of 4992	1968	392fe355879b88fe291e48ff656d212bda2b08240922be70d77cf55151b17a05.exe	88
PID 1968 wrote to memory of 4992	1968	392fe355879b88fe291e48ff656d212bda2b08240922be70d77cf55151b17a05.exe	88
PID 1496 wrote to memory of 3460	1496	gpupdate.exe	94
PID 1496 wrote to memory of 3460	1496	gpupdate.exe	94
PID 1496 wrote to memory of 3460	1496	gpupdate.exe	94
PID 1496 wrote to memory of 3460	1496	gpupdate.exe	94
PID 1496 wrote to memory of 3460	1496	gpupdate.exe	94
PID 1496 wrote to memory of 3460	1496	gpupdate.exe	94

C:\Users\Admin\AppData\Local\Temp\392fe355879b88fe291e48ff656d212bda2b08240922be70d77cf55151b17a05.exe
"C:\Users\Admin\AppData\Local\Temp\392fe355879b88fe291e48ff656d212bda2b08240922be70d77cf55151b17a05.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\SysWOW64\gpupdate.exe
  "C:\Windows\SysWOW64\gpupdate.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\SysWOW64\wscadminui.exe
    "C:\Windows\SysWOW64\wscadminui.exe"
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3460
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\392FE3~1.EXE > nul
  2⤵
  PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\WindowRedSystem11.log

Filesize
7KB

MD5
fc9d5966fc8e72b0e31d15165d064744

SHA1
c133eb35fd390f18950353c26574e556647ed4fb

SHA256
5cc5f9c0ce2016e46b059c917694cb782affb8c8b4a4a1f47a0578bc8a6216d3

SHA512
f032f7e9b2e2fd985468aff933a57dc17755d31ef777e88857b3fa7cd893e77ebfda29b21e902c8eae313d02eab5b01e93526883426f49d34b8906f9a7d556a7

Download Submit
C:\Windows\WindowSystemNewUpdate462.log

Filesize
6KB

MD5
b88a9c621513d30a0d0699fc159b24cb

SHA1
028cbf3d8942b2eacc7cd73b00461052fa51f7e4

SHA256
0e1a8fe1c185e5064b614c3c8d25e2db6c52eca9df6c617f98e5f3046943d1eb

SHA512
376d9fddbbe4eda74c887d5c311d43009e3475bf08bb430830eec356703241983473cfc97f7f4b4f0fdc20f72e70cdd0a8edcd28846c8c47c22515872547b95a

Download Submit
memory/1496-45-0x0000000002910000-0x0000000002A09000-memory.dmp

Filesize
996KB

Download
memory/1496-48-0x00000000009B0000-0x00000000009E8000-memory.dmp

Filesize
224KB

Download
memory/1496-8-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/1496-14-0x0000000000960000-0x000000000097B000-memory.dmp

Filesize
108KB

Download
memory/1496-2-0x0000000000480000-0x00000000004E7000-memory.dmp

Filesize
412KB

Download
memory/1496-34-0x0000000002910000-0x0000000002A09000-memory.dmp

Filesize
996KB

Download
memory/1496-42-0x0000000002910000-0x0000000002A09000-memory.dmp

Filesize
996KB

Download
memory/1496-43-0x0000000002910000-0x0000000002A09000-memory.dmp

Filesize
996KB

Download
memory/1496-143-0x0000000002910000-0x0000000002A09000-memory.dmp

Filesize
996KB

Download
memory/1496-6-0x0000000000960000-0x000000000097B000-memory.dmp

Filesize
108KB

Download
memory/1496-57-0x0000000002E90000-0x0000000002EF6000-memory.dmp

Filesize
408KB

Download
memory/1496-68-0x0000000003650000-0x0000000003B29000-memory.dmp

Filesize
4.8MB

Download
memory/1496-94-0x0000000002910000-0x0000000002A09000-memory.dmp

Filesize
996KB

Download
memory/1496-298-0x0000000009240000-0x00000000095C3000-memory.dmp

Filesize
3.5MB

Download
memory/1496-4-0x0000000000960000-0x000000000097B000-memory.dmp

Filesize
108KB

Download
memory/1496-289-0x0000000009240000-0x00000000095C3000-memory.dmp

Filesize
3.5MB

Download
memory/1496-286-0x0000000009240000-0x00000000095C3000-memory.dmp

Filesize
3.5MB

Download
memory/1968-0-0x0000000000440000-0x00000000004D7000-memory.dmp

Filesize
604KB

Download
memory/1968-28-0x0000000000440000-0x00000000004D7000-memory.dmp

Filesize
604KB

Download
memory/3460-101-0x0000000000F80000-0x0000000000F9B000-memory.dmp

Filesize
108KB

Download
memory/3460-125-0x0000000010000000-0x0000000010601000-memory.dmp

Filesize
6.0MB

Download
memory/3460-124-0x0000000010000000-0x0000000010601000-memory.dmp

Filesize
6.0MB

Download
memory/3460-127-0x0000000010000000-0x0000000010601000-memory.dmp

Filesize
6.0MB

Download
memory/3460-122-0x0000000010000000-0x0000000010601000-memory.dmp

Filesize
6.0MB

Download
memory/3460-208-0x0000000010000000-0x0000000010601000-memory.dmp

Filesize
6.0MB

Download
memory/3460-120-0x0000000010000000-0x0000000010601000-memory.dmp

Filesize
6.0MB

Download
memory/3460-107-0x0000000010000000-0x0000000010601000-memory.dmp

Filesize
6.0MB

Download
memory/3460-105-0x0000000000F80000-0x0000000000F9B000-memory.dmp

Filesize
108KB

Download
memory/3460-104-0x0000000000F80000-0x0000000000F9B000-memory.dmp

Filesize
108KB

Download
memory/3460-98-0x00000000004A0000-0x0000000000AAC000-memory.dmp

Filesize
6.0MB

Download