0ee170eb92a1063c45512e55aa2c4c7e40e58e1cdc77ce13b5fe56163b871531

Analysis

max time kernel
300s
max time network
305s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
01-10-2023 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

˫װ.exe
Size

6.8MB
MD5

4e53a65f92a258aafe4654ad6ea14332
SHA1

ba11d19faa5f68f795d0355fa11091d3904889c1
SHA256

ec0029ed11e838c80c35da057f69ff7be9a01a9b1fa2246f530c49c2fa56e647
SHA512

04e125f3c99e81a9b227177f51c142818177e79642cfc93f2ecab9fc658c85aba2533718ad40583c85229bf280b05d9913bcb5b5f98d8f0e94c0cc736e352b30
SSDEEP

98304:3rr0GhfuHLZ9l8lJA8dHxv1x13pQCHZ66z24VZbR:br0GhQL7lwJzRv1x15Q4Z66z24VZbR

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ruyEi8YC.exe

pid process

3768 ruyEi8YC.exe

pid	process
3768	ruyEi8YC.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Public\Downloads\GuefLQ6u\ruyEi8YC.exe	upx
behavioral26/memory/3768-6-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral26/memory/3768-44-0x0000000000400000-0x0000000000558000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

˫װ.exeruyEi8YC.exe

pid	process
2168	˫װ.exe
2168	˫װ.exe
2168	˫װ.exe
2168	˫װ.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ruyEi8YC.exe

pid process

3768 ruyEi8YC.exe
3768 ruyEi8YC.exe

pid	process
3768	ruyEi8YC.exe
3768	ruyEi8YC.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

˫װ.exeruyEi8YC.exe

description	pid	process	target process
PID 2168 wrote to memory of 3768	2168	˫װ.exe	ruyEi8YC.exe
PID 2168 wrote to memory of 3768	2168	˫װ.exe	ruyEi8YC.exe
PID 2168 wrote to memory of 3768	2168	˫װ.exe	ruyEi8YC.exe
PID 3768 wrote to memory of 4716	3768	ruyEi8YC.exe	cmd.exe
PID 3768 wrote to memory of 4716	3768	ruyEi8YC.exe	cmd.exe
PID 3768 wrote to memory of 4716	3768	ruyEi8YC.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\˫װ.exe
"C:\Users\Admin\AppData\Local\Temp\˫װ.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2168

C:\Users\Public\Downloads\GuefLQ6u\ruyEi8YC.exe
"C:\Users\Public\Downloads\GuefLQ6u\ruyEi8YC.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3768

C:\Windows\SysWOW64\cmd.exe
cmd /c echo.>c:\xxxx.ini
3⤵
PID:4716

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG3.JPG
Filesize
6KB

MD5
e39405e85e09f64ccde0f59392317dd3

SHA1
9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

SHA256
cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

SHA512
6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG4.JPG
Filesize
36KB

MD5
f6bf82a293b69aa5b47d4e2de305d45a

SHA1
4948716616d4bbe68be2b4c5bf95350402d3f96f

SHA256
6a9368cdd7b3ff9b590e206c3536569bc45c338966d0059784959f73fe6281e0

SHA512
edf0f3ee60a620cf886184c1014f38d0505aac9e3703d61d7074cfb27d6922f80e570d1a3891593606a09f1296a88c8770445761c11c390a99a5341ee56478aa

Download Submit
C:\Users\Public\Downloads\GuefLQ6u\Edge.jpg
Filesize
358KB

MD5
e8ac25f97a5b7d2483f5b90afcc84c5d

SHA1
05eff553dbef71e26a172d169bd39c2f07e4bbb5

SHA256
ed6015ff5aa3c8fe1c21b22370b75e0ae49311cf4240cc1918214f0c63488bee

SHA512
7e344acb84fcb7b4e1f2aade9389b3ee323b769b301e9f477a3a75b4e586dde83147a7656500a8fcedb5d021419d7f0e60f970b9aecac3fffb4b04e88c370638

Download Submit
C:\Users\Public\Downloads\GuefLQ6u\edge.xml
Filesize
53KB

MD5
c01854d7e6be8474cfccbfb8ecf81d0b

SHA1
d5fb64c8e4e7c6bb1b5322ddd67e43974b20cf06

SHA256
a31251575a2dcb37ab41d4cb0fa5704c60c66b784cacf101ddb07252044b3746

SHA512
fcf768c89c8747e6a6a69f2ff99ae588b3662157f83039ce1209263878b63abf2dcf6f43dad72ec688f25332c87a1b09acb47d6e2ea5c62ce76592b942be2f9f

Download Submit
C:\Users\Public\Downloads\GuefLQ6u\ruyEi8YC.dat
Filesize
132KB

MD5
116cc84dce60ec0b3835c2ad1c2424a7

SHA1
c171d7f80c2e6388563f5cdbe8f40e19b8e4a01a

SHA256
d7fb488e57ab01b4b9066fa4aed702c541dc99b98b4804b5811d0cf377090c4e

SHA512
03a29f6ac59cdefdf46247c2fe917d418541b814e5cbe3bdb47434ad88660eedcd3cdaa5f110840f9034d8ecf7b9f552564722445cb5a8fa441c3389a2ddaa93

Download Submit
C:\Users\Public\Downloads\GuefLQ6u\ruyEi8YC.exe
Filesize
529KB

MD5
49d595ab380b7c7a4cd6916eeb4dfe6f

SHA1
b84649fce92cc0e7a4d25599cc15ffaf312edc0b

SHA256
207d856a56e97f2fdab243742f0cfcd1ba8b5814dc65b3798e54d022ce719661

SHA512
d00ed0d9baae96ccbaf1262b4a4aaf4468e4ace6cebcea81e74d830bf414d9bc61068b8fb0eefa742add14aec47284f3adc11be26c8b8d66bfae4c498f2a4110

Download Submit
memory/3768-6-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/3768-31-0x0000000003720000-0x0000000003732000-memory.dmp

Filesize
72KB

Download
memory/3768-33-0x0000000010000000-0x0000000010061000-memory.dmp

Filesize
388KB

Download
memory/3768-28-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/3768-44-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download