0ee170eb92a1063c45512e55aa2c4c7e40e58e1cdc77ce13b5fe56163b871531

Analysis

max time kernel
303s
max time network
309s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
01-10-2023 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ٷѰװ.exe
Size

6.8MB
MD5

d29e0172941811344a23c7bd23701942
SHA1

ae606314147c0929bfc3beac462a6d914ebf9bff
SHA256

2229caa63c12cbb42cb66a6644cd4b88c74b440c133df37ec1d0e32e3db67bcf
SHA512

c0f7434326e0a4b99a583dd44344b73cd4ea74a4f11c85cc8def201137f299499b54e63cbcb1df2f771976dd058c5b1213ea53a3fa76ad8eed0b6ad1a1b8958f
SSDEEP

98304:3rr0GhfuHLZ9l8lJA8dHxv1x1zHNCHZ66z24VZbR:br0GhQL7lwJzRv1x1jN4Z66z24VZbR

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

SkJL6v6Z.exe

pid process

3056 SkJL6v6Z.exe

pid	process
3056	SkJL6v6Z.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral28/memory/3056-7-0x0000000000400000-0x0000000000558000-memory.dmp	upx
C:\Users\Public\Downloads\2DrV8Xc4\SkJL6v6Z.exe	upx
behavioral28/memory/3056-45-0x0000000000400000-0x0000000000558000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ٷѰװ.exeSkJL6v6Z.exe

pid	process
2188	ٷѰװ.exe
2188	ٷѰװ.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

SkJL6v6Z.exe

pid process

3056 SkJL6v6Z.exe
3056 SkJL6v6Z.exe

pid	process
3056	SkJL6v6Z.exe
3056	SkJL6v6Z.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

ٷѰװ.exeSkJL6v6Z.exe

description	pid	process	target process
PID 2188 wrote to memory of 3056	2188	ٷѰװ.exe	SkJL6v6Z.exe
PID 2188 wrote to memory of 3056	2188	ٷѰװ.exe	SkJL6v6Z.exe
PID 2188 wrote to memory of 3056	2188	ٷѰװ.exe	SkJL6v6Z.exe
PID 2188 wrote to memory of 3056	2188	ٷѰװ.exe	SkJL6v6Z.exe
PID 2188 wrote to memory of 3056	2188	ٷѰװ.exe	SkJL6v6Z.exe
PID 2188 wrote to memory of 3056	2188	ٷѰװ.exe	SkJL6v6Z.exe
PID 2188 wrote to memory of 3056	2188	ٷѰװ.exe	SkJL6v6Z.exe
PID 3056 wrote to memory of 2668	3056	SkJL6v6Z.exe	cmd.exe
PID 3056 wrote to memory of 2668	3056	SkJL6v6Z.exe	cmd.exe
PID 3056 wrote to memory of 2668	3056	SkJL6v6Z.exe	cmd.exe
PID 3056 wrote to memory of 2668	3056	SkJL6v6Z.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ٷѰװ.exe
"C:\Users\Admin\AppData\Local\Temp\ٷѰװ.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Public\Downloads\2DrV8Xc4\SkJL6v6Z.exe
  "C:\Users\Public\Downloads\2DrV8Xc4\SkJL6v6Z.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo.>c:\xxxx.ini
    3⤵
    PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG3.JPG

Filesize
6KB

MD5
e39405e85e09f64ccde0f59392317dd3

SHA1
9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

SHA256
cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

SHA512
6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG4.JPG

Filesize
36KB

MD5
f6bf82a293b69aa5b47d4e2de305d45a

SHA1
4948716616d4bbe68be2b4c5bf95350402d3f96f

SHA256
6a9368cdd7b3ff9b590e206c3536569bc45c338966d0059784959f73fe6281e0

SHA512
edf0f3ee60a620cf886184c1014f38d0505aac9e3703d61d7074cfb27d6922f80e570d1a3891593606a09f1296a88c8770445761c11c390a99a5341ee56478aa

Download Submit
C:\Users\Public\Downloads\2DrV8Xc4\Edge.jpg

Filesize
358KB

MD5
1eea54e7d8da117c7f1ec5a647189832

SHA1
9c39c0ffee626a03f3712c327656708a46f85c78

SHA256
90ba6b523b9d35cf2f1ca2e402eceeecf94cda78aa13a48a9e1e75c3687c97fa

SHA512
65a0f9a618f524f950200bfb4f183fc0c7c9b5b8e0f4baf0d519f28e0e2f3f04e02ca805492ff43a235d272f3ea06adb3a825c9ee3c86ce10f4fb7640d29f755

Download Submit
C:\Users\Public\Downloads\2DrV8Xc4\SkJL6v6Z.dat

Filesize
132KB

MD5
4149f0d8db7f8de3a56c630b9980bbdc

SHA1
c3c642f00b270f7f10eb0ea7c5eefce17f0ea80b

SHA256
5e7393708215984f021292743cfd59cb7fe2e03dd4d504663b19768efb4d84c2

SHA512
5dd2e1fe0aa82d91b591fd4b01e180b9888ba4c8d36107d64bde32b42a959425e38bc15cf79b677eda3a6b7d6831acde7cac99622dd0ef834ad2258ced1d2921

Download Submit
C:\Users\Public\Downloads\2DrV8Xc4\SkJL6v6Z.exe

Filesize
529KB

MD5
49d595ab380b7c7a4cd6916eeb4dfe6f

SHA1
b84649fce92cc0e7a4d25599cc15ffaf312edc0b

SHA256
207d856a56e97f2fdab243742f0cfcd1ba8b5814dc65b3798e54d022ce719661

SHA512
d00ed0d9baae96ccbaf1262b4a4aaf4468e4ace6cebcea81e74d830bf414d9bc61068b8fb0eefa742add14aec47284f3adc11be26c8b8d66bfae4c498f2a4110

Download Submit
C:\Users\Public\Downloads\2DrV8Xc4\edge.xml

Filesize
53KB

MD5
a2d73bcfbf7df25ebc202742e6b8cbad

SHA1
8f6c17ad94766e4b2d3b59578d3b35b37e9b4ac2

SHA256
07a4d9a2e853399163b3f8f0555b9ffdddf0f91697e3f7f9d0ca48115c43b646

SHA512
ed6d6d2619e8bd640e5d16d5efed64857c044e12cc39209cdbf636ed1afc42d637061890a0ec2d39643a5a63345d77c7da2d34e2be6594f8fd76b7f7ee79851a

Download Submit
memory/3056-7-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/3056-29-0x0000000001E60000-0x0000000001E61000-memory.dmp

Filesize
4KB

Download
memory/3056-32-0x0000000002180000-0x0000000002192000-memory.dmp

Filesize
72KB

Download
memory/3056-34-0x0000000010000000-0x0000000010061000-memory.dmp

Filesize
388KB

Download
memory/3056-45-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download