9504d73eb492959b429ed27389827d0ae51bc9c03d57a21fb858a1b5b4ffd824

Analysis

max time kernel
166s
max time network
166s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
19/09/2023, 13:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9504d73eb492959b429ed27389827d0ae51bc9c03d57a21fb858a1b5b4ffd824.exe
Size

4.7MB
MD5

b3623c91bd47e7237bef902e9231b95e
SHA1

918bd777a92a8927612faac9815a9754423d76b3
SHA256

9504d73eb492959b429ed27389827d0ae51bc9c03d57a21fb858a1b5b4ffd824
SHA512

c264b3bf000aadcf78261c788371ad4518241a3095849e02054f83d55541d9ba5aa8bfc72f08aaa4b35f9bb1d37a01c0ca7980de8f650a8c483b3e30fe54085d
SSDEEP

98304:FgMB/J1S7RvAMk1x1U9LCMxEpGZqJ2iVQ3:FgMH16vxk1x1OLJViE

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1360	aLhvzUbt.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000d00000001226a-5.dat	upx
behavioral1/memory/1360-7-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral1/memory/1360-45-0x0000000000400000-0x0000000000558000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1948	9504d73eb492959b429ed27389827d0ae51bc9c03d57a21fb858a1b5b4ffd824.exe
1948	9504d73eb492959b429ed27389827d0ae51bc9c03d57a21fb858a1b5b4ffd824.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1360	aLhvzUbt.exe
1360	aLhvzUbt.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1360	1948	9504d73eb492959b429ed27389827d0ae51bc9c03d57a21fb858a1b5b4ffd824.exe	28
PID 1948 wrote to memory of 1360	1948	9504d73eb492959b429ed27389827d0ae51bc9c03d57a21fb858a1b5b4ffd824.exe	28
PID 1948 wrote to memory of 1360	1948	9504d73eb492959b429ed27389827d0ae51bc9c03d57a21fb858a1b5b4ffd824.exe	28
PID 1948 wrote to memory of 1360	1948	9504d73eb492959b429ed27389827d0ae51bc9c03d57a21fb858a1b5b4ffd824.exe	28
PID 1948 wrote to memory of 1360	1948	9504d73eb492959b429ed27389827d0ae51bc9c03d57a21fb858a1b5b4ffd824.exe	28
PID 1948 wrote to memory of 1360	1948	9504d73eb492959b429ed27389827d0ae51bc9c03d57a21fb858a1b5b4ffd824.exe	28
PID 1948 wrote to memory of 1360	1948	9504d73eb492959b429ed27389827d0ae51bc9c03d57a21fb858a1b5b4ffd824.exe	28
PID 1360 wrote to memory of 2876	1360	aLhvzUbt.exe	29
PID 1360 wrote to memory of 2876	1360	aLhvzUbt.exe	29
PID 1360 wrote to memory of 2876	1360	aLhvzUbt.exe	29
PID 1360 wrote to memory of 2876	1360	aLhvzUbt.exe	29

C:\Users\Admin\AppData\Local\Temp\9504d73eb492959b429ed27389827d0ae51bc9c03d57a21fb858a1b5b4ffd824.exe
"C:\Users\Admin\AppData\Local\Temp\9504d73eb492959b429ed27389827d0ae51bc9c03d57a21fb858a1b5b4ffd824.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Public\Downloads\L1f2S8Zu\aLhvzUbt.exe
  "C:\Users\Public\Downloads\L1f2S8Zu\aLhvzUbt.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo.>c:\xxxx.ini
    3⤵
    PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG3.JPG

Filesize
6KB

MD5
e39405e85e09f64ccde0f59392317dd3

SHA1
9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

SHA256
cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

SHA512
6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG4.JPG

Filesize
36KB

MD5
f6bf82a293b69aa5b47d4e2de305d45a

SHA1
4948716616d4bbe68be2b4c5bf95350402d3f96f

SHA256
6a9368cdd7b3ff9b590e206c3536569bc45c338966d0059784959f73fe6281e0

SHA512
edf0f3ee60a620cf886184c1014f38d0505aac9e3703d61d7074cfb27d6922f80e570d1a3891593606a09f1296a88c8770445761c11c390a99a5341ee56478aa

Download Submit
C:\Users\Public\Downloads\L1f2S8Zu\Edge.jpg

Filesize
358KB

MD5
2725452878c2a8440778f93c2e53f7b9

SHA1
9fbf4d30eb51c3720265edad5d31d22f1dad3669

SHA256
667aece181a85744506dac718beba5b5a83656849423485acd99ec1b135ca767

SHA512
cd6d1ce431e41130ec58e9a91b38f2a0357e799f626e7537c851969376b2607d6c85397308a1fccd6eea1586de14c1faeb20c2371ab072c90149b2adf9470681

Download Submit
C:\Users\Public\Downloads\L1f2S8Zu\aLhvzUbt.dat

Filesize
132KB

MD5
1bfe82954c12ce24e5d61b495f93baa8

SHA1
18ab394653a6296c4c7543509d5004f2e04156a9

SHA256
c6b51e337d9c2dc0b1914b7a5961ef312527640856f9b5735a53fea3a0daadee

SHA512
cdbfd9642b48705ce43d2e19d80033ed91815279b618e05a30fbea32bd260d9cd22da4c403500f0fec3b5120fad462b124ea38616ffa30b4f02b2f781c51f635

Download Submit
C:\Users\Public\Downloads\L1f2S8Zu\aLhvzUbt.exe

Filesize
529KB

MD5
49d595ab380b7c7a4cd6916eeb4dfe6f

SHA1
b84649fce92cc0e7a4d25599cc15ffaf312edc0b

SHA256
207d856a56e97f2fdab243742f0cfcd1ba8b5814dc65b3798e54d022ce719661

SHA512
d00ed0d9baae96ccbaf1262b4a4aaf4468e4ace6cebcea81e74d830bf414d9bc61068b8fb0eefa742add14aec47284f3adc11be26c8b8d66bfae4c498f2a4110

Download Submit
C:\Users\Public\Downloads\L1f2S8Zu\edge.xml

Filesize
53KB

MD5
26cf4f3fea5189f969c5d1eeff116c90

SHA1
a3e6baef415b71d763e8d41a0c7c8d13f43207cb

SHA256
e384c04356793df7c13076ef36fa6dd7b181cd7505aaecd3914f846cb754ff2b

SHA512
9871a259ab34b456754c44f8d9d1d1d836a2f24aa6e394a5ee6e466fb4beabc3c73cf0e539c7bbd51e0c4ff830bcdc085fb226e130bbd253e3eda0bde16542f4

Download Submit
memory/1360-7-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1360-29-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/1360-31-0x0000000002120000-0x0000000002132000-memory.dmp

Filesize
72KB

Download
memory/1360-34-0x0000000010000000-0x0000000010061000-memory.dmp

Filesize
388KB

Download
memory/1360-45-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download