1ca6cf952a530b2342d1cc809866962b902d02602568063158384ea12932e428

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230824-en
resource tags

arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2023, 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ca6cf952a530b2342d1cc809866962b902d02602568063158384ea12932e428.exe
Size

815KB
MD5

1d6447a3e5da4b8f530d91c4e40dd64c
SHA1

98739d4ebc8181f9c38f4c59c3f186a05b702d61
SHA256

1ca6cf952a530b2342d1cc809866962b902d02602568063158384ea12932e428
SHA512

b9983e1366812fdb5f665fc664e135e2860a2f3317b82ea015bbc32a2e99642c76dafc48d99159cddca266fbf22a679648b5d9d26f3929c4b5d32885e8d5415d
SSDEEP

24576:fO1LHcsboAcntImlnm5bGFZ0XkAck+ffCUyCBZY3/B:G2Acn9CkZ0X2hff/yC3G/B

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5096-0-0x0000000000950000-0x0000000000A88000-memory.dmp	upx
behavioral2/memory/5096-30-0x0000000000950000-0x0000000000A88000-memory.dmp	upx
behavioral2/memory/5096-42-0x0000000000950000-0x0000000000A88000-memory.dmp	upx

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\System32\AppVEntStreamingManagerXl.sys	cmdkey.exe
File created	C:\Windows\System32\wpr.configXO.sys	cmdkey.exe
File created	C:\Windows\System32\WebsockettoG.sys	cmdkey.exe
File created	C:\Windows\System32\RdpSan3R.sys	cmdkey.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{0236F22F-857F-457E-AB99-5CF97D548F15}.catalogItem	svchost.exe
File created	C:\Windows\System32\recoverQz.sys	cmdkey.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsShell13561.log	1ca6cf952a530b2342d1cc809866962b902d02602568063158384ea12932e428.exe
File opened for modification	C:\Windows\WindowSystemNewUpdate72.log	regedit.exe
File opened for modification	C:\Windows\WindowTerminalVaild431.log	regedit.exe
File opened for modification	C:\Windows\WindowMicrosoftNET471.log	regedit.exe
File opened for modification	C:\Windows\WindowsShell22703.log	regedit.exe
File opened for modification	C:\Windows\WindowRedSystem13.log	cmdkey.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs regedit.exe 1 IoCs

pid	Process
3112	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3112	regedit.exe
3112	regedit.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe
3360	cmdkey.exe

Suspicious behavior: LoadsDriver 5 IoCs

pid	Process
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	5096	1ca6cf952a530b2342d1cc809866962b902d02602568063158384ea12932e428.exe
Token: SeDebugPrivilege	3112	regedit.exe
Token: SeIncBasePriorityPrivilege	5096	1ca6cf952a530b2342d1cc809866962b902d02602568063158384ea12932e428.exe
Token: SeDebugPrivilege	3112	regedit.exe
Token: SeDebugPrivilege	3112	regedit.exe
Token: SeDebugPrivilege	3112	regedit.exe
Token: SeDebugPrivilege	3112	regedit.exe
Token: SeDebugPrivilege	3360	cmdkey.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 3112	5096	1ca6cf952a530b2342d1cc809866962b902d02602568063158384ea12932e428.exe	85
PID 5096 wrote to memory of 3112	5096	1ca6cf952a530b2342d1cc809866962b902d02602568063158384ea12932e428.exe	85
PID 5096 wrote to memory of 3112	5096	1ca6cf952a530b2342d1cc809866962b902d02602568063158384ea12932e428.exe	85
PID 5096 wrote to memory of 3112	5096	1ca6cf952a530b2342d1cc809866962b902d02602568063158384ea12932e428.exe	85
PID 5096 wrote to memory of 3112	5096	1ca6cf952a530b2342d1cc809866962b902d02602568063158384ea12932e428.exe	85
PID 5096 wrote to memory of 3112	5096	1ca6cf952a530b2342d1cc809866962b902d02602568063158384ea12932e428.exe	85
PID 5096 wrote to memory of 2944	5096	1ca6cf952a530b2342d1cc809866962b902d02602568063158384ea12932e428.exe	88
PID 5096 wrote to memory of 2944	5096	1ca6cf952a530b2342d1cc809866962b902d02602568063158384ea12932e428.exe	88
PID 5096 wrote to memory of 2944	5096	1ca6cf952a530b2342d1cc809866962b902d02602568063158384ea12932e428.exe	88
PID 3112 wrote to memory of 3360	3112	regedit.exe	90
PID 3112 wrote to memory of 3360	3112	regedit.exe	90
PID 3112 wrote to memory of 3360	3112	regedit.exe	90
PID 3112 wrote to memory of 3360	3112	regedit.exe	90
PID 3112 wrote to memory of 3360	3112	regedit.exe	90
PID 3112 wrote to memory of 3360	3112	regedit.exe	90

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:2504

C:\Users\Admin\AppData\Local\Temp\1ca6cf952a530b2342d1cc809866962b902d02602568063158384ea12932e428.exe
"C:\Users\Admin\AppData\Local\Temp\1ca6cf952a530b2342d1cc809866962b902d02602568063158384ea12932e428.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\SysWOW64\regedit.exe"
  2⤵
  - Drops file in Windows directory
  - Runs regedit.exe
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3112
- - C:\Windows\SysWOW64\cmdkey.exe
    "C:\Windows\SysWOW64\cmdkey.exe"
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3360
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\1CA6CF~1.EXE > nul
  2⤵
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\WindowRedSystem13.log

Filesize
7KB

MD5
c5186df8a5361ce43f26a4296b5ea47f

SHA1
57bf8b71597e4a53b9f3334b4464900ed8e336ff

SHA256
d3d414d6bbc00101d992fec141e675ea8538b9b878618448d3fd28c3325dee2c

SHA512
c08a33e205b79e98e0f122c4aaae3965d4bd490cbe0acbf950a6b65cc4f6d2a08c00e463e35b80051dc12b0bb0ce2a6381674d98b1c5e5e90d0e426937c2cda1

Download Submit
C:\Windows\WindowSystemNewUpdate72.log

Filesize
6KB

MD5
96dee58fbbf1e48c47516139eeb972f0

SHA1
9aa704cd02f2a16b36796a206ae75ac38b128949

SHA256
266af65beb43e0a6b090ed91b9938e9dd86d4e1b63e9749b3612310a2010f689

SHA512
bdddbce24195f30a5e8303abf410fff1bacf8e67001a5ec8a7c01040a69b14516bb145c63eebe81f7cbadd830f96b9b6871ecf74fb32bc8380b227c81f6a7435

Download Submit
memory/3112-86-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/3112-47-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/3112-9-0x00000000011E0000-0x00000000011FB000-memory.dmp

Filesize
108KB

Download
memory/3112-10-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/3112-18-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/3112-21-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/3112-23-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/3112-27-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/3112-3-0x0000000000AC0000-0x0000000000BC8000-memory.dmp

Filesize
1.0MB

Download
memory/3112-35-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/3112-36-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/3112-37-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/3112-38-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/3112-41-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/3112-6-0x00000000011E0000-0x00000000011FB000-memory.dmp

Filesize
108KB

Download
memory/3112-44-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/3112-51-0x0000000003560000-0x0000000003659000-memory.dmp

Filesize
996KB

Download
memory/3112-48-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/3112-8-0x00000000011E0000-0x00000000011FB000-memory.dmp

Filesize
108KB

Download
memory/3112-50-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/3112-65-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/3112-61-0x0000000003560000-0x0000000003659000-memory.dmp

Filesize
996KB

Download
memory/3112-64-0x0000000003560000-0x0000000003659000-memory.dmp

Filesize
996KB

Download
memory/3112-59-0x0000000003560000-0x0000000003659000-memory.dmp

Filesize
996KB

Download
memory/3112-67-0x0000000001240000-0x0000000001278000-memory.dmp

Filesize
224KB

Download
memory/3112-73-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/3112-76-0x00000000038B0000-0x0000000003916000-memory.dmp

Filesize
408KB

Download
memory/3112-81-0x0000000003560000-0x0000000003659000-memory.dmp

Filesize
996KB

Download
memory/3112-181-0x0000000003560000-0x0000000003659000-memory.dmp

Filesize
996KB

Download
memory/3112-89-0x0000000004450000-0x0000000004929000-memory.dmp

Filesize
4.8MB

Download
memory/3112-175-0x0000000003560000-0x0000000003659000-memory.dmp

Filesize
996KB

Download
memory/3360-133-0x0000000000DE0000-0x0000000000DFB000-memory.dmp

Filesize
108KB

Download
memory/3360-152-0x0000000010000000-0x0000000010601000-memory.dmp

Filesize
6.0MB

Download
memory/3360-132-0x0000000001000000-0x000000000160C000-memory.dmp

Filesize
6.0MB

Download
memory/3360-231-0x0000000000DE0000-0x0000000000DFB000-memory.dmp

Filesize
108KB

Download
memory/3360-237-0x0000000010000000-0x0000000010601000-memory.dmp

Filesize
6.0MB

Download
memory/5096-0-0x0000000000950000-0x0000000000A88000-memory.dmp

Filesize
1.2MB

Download
memory/5096-42-0x0000000000950000-0x0000000000A88000-memory.dmp

Filesize
1.2MB

Download
memory/5096-30-0x0000000000950000-0x0000000000A88000-memory.dmp

Filesize
1.2MB

Download