cf20c61f4943e0394e26530e153a5a460a70e4e79c1d0c85d34812e243e4f2f7

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
31/08/2023, 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf20c61f4943e0394e26530e153a5a460a70e4e79c1d0c85d34812e243e4f2f7.exe
Size

1.9MB
MD5

c05b784aae5345c163a5f2177413c4f2
SHA1

af5bfe81b11a47963c41d82ba7996c6a7538fc90
SHA256

cf20c61f4943e0394e26530e153a5a460a70e4e79c1d0c85d34812e243e4f2f7
SHA512

de8f024f65cca0b004de1a0539d5603b9c3e26493a60f1930962c6521011615a1520eef808b4c149564f4e965b661500f7a28e988a8ed622159bebd3e766040e
SSDEEP

49152:WRQDdA8cwl54/y69SSJX9Hg7v5i+V2+IfLfgB:WOm8cwgy6QSTHQv72zfD

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2796-0-0x00000000000A0000-0x00000000005EA000-memory.dmp	upx
behavioral1/memory/2796-1-0x00000000000A0000-0x00000000005EA000-memory.dmp	upx

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2120	wmic.exe
Token: SeSecurityPrivilege	2120	wmic.exe
Token: SeTakeOwnershipPrivilege	2120	wmic.exe
Token: SeLoadDriverPrivilege	2120	wmic.exe
Token: SeSystemProfilePrivilege	2120	wmic.exe
Token: SeSystemtimePrivilege	2120	wmic.exe
Token: SeProfSingleProcessPrivilege	2120	wmic.exe
Token: SeIncBasePriorityPrivilege	2120	wmic.exe
Token: SeCreatePagefilePrivilege	2120	wmic.exe
Token: SeBackupPrivilege	2120	wmic.exe
Token: SeRestorePrivilege	2120	wmic.exe
Token: SeShutdownPrivilege	2120	wmic.exe
Token: SeDebugPrivilege	2120	wmic.exe
Token: SeSystemEnvironmentPrivilege	2120	wmic.exe
Token: SeRemoteShutdownPrivilege	2120	wmic.exe
Token: SeUndockPrivilege	2120	wmic.exe
Token: SeManageVolumePrivilege	2120	wmic.exe
Token: 33	2120	wmic.exe
Token: 34	2120	wmic.exe
Token: 35	2120	wmic.exe
Token: SeIncreaseQuotaPrivilege	2120	wmic.exe
Token: SeSecurityPrivilege	2120	wmic.exe
Token: SeTakeOwnershipPrivilege	2120	wmic.exe
Token: SeLoadDriverPrivilege	2120	wmic.exe
Token: SeSystemProfilePrivilege	2120	wmic.exe
Token: SeSystemtimePrivilege	2120	wmic.exe
Token: SeProfSingleProcessPrivilege	2120	wmic.exe
Token: SeIncBasePriorityPrivilege	2120	wmic.exe
Token: SeCreatePagefilePrivilege	2120	wmic.exe
Token: SeBackupPrivilege	2120	wmic.exe
Token: SeRestorePrivilege	2120	wmic.exe
Token: SeShutdownPrivilege	2120	wmic.exe
Token: SeDebugPrivilege	2120	wmic.exe
Token: SeSystemEnvironmentPrivilege	2120	wmic.exe
Token: SeRemoteShutdownPrivilege	2120	wmic.exe
Token: SeUndockPrivilege	2120	wmic.exe
Token: SeManageVolumePrivilege	2120	wmic.exe
Token: 33	2120	wmic.exe
Token: 34	2120	wmic.exe
Token: 35	2120	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2120	2796	cf20c61f4943e0394e26530e153a5a460a70e4e79c1d0c85d34812e243e4f2f7.exe	29
PID 2796 wrote to memory of 2120	2796	cf20c61f4943e0394e26530e153a5a460a70e4e79c1d0c85d34812e243e4f2f7.exe	29
PID 2796 wrote to memory of 2120	2796	cf20c61f4943e0394e26530e153a5a460a70e4e79c1d0c85d34812e243e4f2f7.exe	29

C:\Users\Admin\AppData\Local\Temp\cf20c61f4943e0394e26530e153a5a460a70e4e79c1d0c85d34812e243e4f2f7.exe
"C:\Users\Admin\AppData\Local\Temp\cf20c61f4943e0394e26530e153a5a460a70e4e79c1d0c85d34812e243e4f2f7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2120

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2796-0-0x00000000000A0000-0x00000000005EA000-memory.dmp

Filesize
5.3MB

Download
memory/2796-1-0x00000000000A0000-0x00000000005EA000-memory.dmp

Filesize
5.3MB

Download