d4b433f840d20da926016e7d5d13c31c9c150726d490c7b7807e821dcec176f8

Analysis

max time kernel
144s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2023, 11:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f0d1f4d083d1ee6308977f33f9998b8a7c780278351b2e679d13d281e91a62a4.exe
Size

4.8MB
MD5

f937e4bdc3d6c2c18b2d4b9f4229adc3
SHA1

ee79046f53d046ea38c23c08a47385bbfccab50d
SHA256

f0d1f4d083d1ee6308977f33f9998b8a7c780278351b2e679d13d281e91a62a4
SHA512

0f39eaa2718e0c288a987d31f671c10ba264937f2da7b4cd0e088ae46debba8988ba0863e9c5943ca10377bbdaaec3c6bcfc5f47010e57018c2fc14f8b06b0dc
SSDEEP

98304:J9n5KVVkDXYcIrWWnEuGnfDhinxjOebBzLnjNG4MvIn5kmPrpo/OzKwTZCEDk3Tv:BQqYqqADhi3tzL5G4zpXL5DSTv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2924	signtool.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4304-0-0x0000000000400000-0x0000000000A38000-memory.dmp	upx
behavioral2/memory/4304-8-0x0000000000400000-0x0000000000A38000-memory.dmp	upx
behavioral2/memory/4304-9-0x0000000000400000-0x0000000000A38000-memory.dmp	upx
behavioral2/memory/4304-10-0x0000000000400000-0x0000000000A38000-memory.dmp	upx
behavioral2/memory/4304-12-0x0000000000400000-0x0000000000A38000-memory.dmp	upx
behavioral2/memory/4304-15-0x0000000000400000-0x0000000000A38000-memory.dmp	upx
behavioral2/memory/4304-17-0x0000000000400000-0x0000000000A38000-memory.dmp	upx

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4544	WMIC.exe
Token: SeSecurityPrivilege	4544	WMIC.exe
Token: SeTakeOwnershipPrivilege	4544	WMIC.exe
Token: SeLoadDriverPrivilege	4544	WMIC.exe
Token: SeSystemProfilePrivilege	4544	WMIC.exe
Token: SeSystemtimePrivilege	4544	WMIC.exe
Token: SeProfSingleProcessPrivilege	4544	WMIC.exe
Token: SeIncBasePriorityPrivilege	4544	WMIC.exe
Token: SeCreatePagefilePrivilege	4544	WMIC.exe
Token: SeBackupPrivilege	4544	WMIC.exe
Token: SeRestorePrivilege	4544	WMIC.exe
Token: SeShutdownPrivilege	4544	WMIC.exe
Token: SeDebugPrivilege	4544	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4544	WMIC.exe
Token: SeRemoteShutdownPrivilege	4544	WMIC.exe
Token: SeUndockPrivilege	4544	WMIC.exe
Token: SeManageVolumePrivilege	4544	WMIC.exe
Token: 33	4544	WMIC.exe
Token: 34	4544	WMIC.exe
Token: 35	4544	WMIC.exe
Token: 36	4544	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4544	WMIC.exe
Token: SeSecurityPrivilege	4544	WMIC.exe
Token: SeTakeOwnershipPrivilege	4544	WMIC.exe
Token: SeLoadDriverPrivilege	4544	WMIC.exe
Token: SeSystemProfilePrivilege	4544	WMIC.exe
Token: SeSystemtimePrivilege	4544	WMIC.exe
Token: SeProfSingleProcessPrivilege	4544	WMIC.exe
Token: SeIncBasePriorityPrivilege	4544	WMIC.exe
Token: SeCreatePagefilePrivilege	4544	WMIC.exe
Token: SeBackupPrivilege	4544	WMIC.exe
Token: SeRestorePrivilege	4544	WMIC.exe
Token: SeShutdownPrivilege	4544	WMIC.exe
Token: SeDebugPrivilege	4544	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4544	WMIC.exe
Token: SeRemoteShutdownPrivilege	4544	WMIC.exe
Token: SeUndockPrivilege	4544	WMIC.exe
Token: SeManageVolumePrivilege	4544	WMIC.exe
Token: 33	4544	WMIC.exe
Token: 34	4544	WMIC.exe
Token: 35	4544	WMIC.exe
Token: 36	4544	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1896	WMIC.exe
Token: SeSecurityPrivilege	1896	WMIC.exe
Token: SeTakeOwnershipPrivilege	1896	WMIC.exe
Token: SeLoadDriverPrivilege	1896	WMIC.exe
Token: SeSystemProfilePrivilege	1896	WMIC.exe
Token: SeSystemtimePrivilege	1896	WMIC.exe
Token: SeProfSingleProcessPrivilege	1896	WMIC.exe
Token: SeIncBasePriorityPrivilege	1896	WMIC.exe
Token: SeCreatePagefilePrivilege	1896	WMIC.exe
Token: SeBackupPrivilege	1896	WMIC.exe
Token: SeRestorePrivilege	1896	WMIC.exe
Token: SeShutdownPrivilege	1896	WMIC.exe
Token: SeDebugPrivilege	1896	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1896	WMIC.exe
Token: SeRemoteShutdownPrivilege	1896	WMIC.exe
Token: SeUndockPrivilege	1896	WMIC.exe
Token: SeManageVolumePrivilege	1896	WMIC.exe
Token: 33	1896	WMIC.exe
Token: 34	1896	WMIC.exe
Token: 35	1896	WMIC.exe
Token: 36	1896	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1896	WMIC.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4304	f0d1f4d083d1ee6308977f33f9998b8a7c780278351b2e679d13d281e91a62a4.exe
4304	f0d1f4d083d1ee6308977f33f9998b8a7c780278351b2e679d13d281e91a62a4.exe
4304	f0d1f4d083d1ee6308977f33f9998b8a7c780278351b2e679d13d281e91a62a4.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 4992	4304	f0d1f4d083d1ee6308977f33f9998b8a7c780278351b2e679d13d281e91a62a4.exe	88
PID 4304 wrote to memory of 4992	4304	f0d1f4d083d1ee6308977f33f9998b8a7c780278351b2e679d13d281e91a62a4.exe	88
PID 4304 wrote to memory of 4140	4304	f0d1f4d083d1ee6308977f33f9998b8a7c780278351b2e679d13d281e91a62a4.exe	89
PID 4304 wrote to memory of 4140	4304	f0d1f4d083d1ee6308977f33f9998b8a7c780278351b2e679d13d281e91a62a4.exe	89
PID 4140 wrote to memory of 4544	4140	cmd.exe	92
PID 4140 wrote to memory of 4544	4140	cmd.exe	92
PID 4304 wrote to memory of 2924	4304	f0d1f4d083d1ee6308977f33f9998b8a7c780278351b2e679d13d281e91a62a4.exe	93
PID 4304 wrote to memory of 2924	4304	f0d1f4d083d1ee6308977f33f9998b8a7c780278351b2e679d13d281e91a62a4.exe	93
PID 4304 wrote to memory of 2924	4304	f0d1f4d083d1ee6308977f33f9998b8a7c780278351b2e679d13d281e91a62a4.exe	93
PID 4304 wrote to memory of 2476	4304	f0d1f4d083d1ee6308977f33f9998b8a7c780278351b2e679d13d281e91a62a4.exe	96
PID 4304 wrote to memory of 2476	4304	f0d1f4d083d1ee6308977f33f9998b8a7c780278351b2e679d13d281e91a62a4.exe	96
PID 2476 wrote to memory of 1896	2476	cmd.exe	98
PID 2476 wrote to memory of 1896	2476	cmd.exe	98
PID 4304 wrote to memory of 4264	4304	f0d1f4d083d1ee6308977f33f9998b8a7c780278351b2e679d13d281e91a62a4.exe	100
PID 4304 wrote to memory of 4264	4304	f0d1f4d083d1ee6308977f33f9998b8a7c780278351b2e679d13d281e91a62a4.exe	100
PID 4264 wrote to memory of 2860	4264	cmd.exe	102
PID 4264 wrote to memory of 2860	4264	cmd.exe	102
PID 4304 wrote to memory of 3384	4304	f0d1f4d083d1ee6308977f33f9998b8a7c780278351b2e679d13d281e91a62a4.exe	104
PID 4304 wrote to memory of 3384	4304	f0d1f4d083d1ee6308977f33f9998b8a7c780278351b2e679d13d281e91a62a4.exe	104
PID 3384 wrote to memory of 3628	3384	cmd.exe	106
PID 3384 wrote to memory of 3628	3384	cmd.exe	106
PID 4304 wrote to memory of 4824	4304	f0d1f4d083d1ee6308977f33f9998b8a7c780278351b2e679d13d281e91a62a4.exe	107
PID 4304 wrote to memory of 4824	4304	f0d1f4d083d1ee6308977f33f9998b8a7c780278351b2e679d13d281e91a62a4.exe	107
PID 4824 wrote to memory of 2248	4824	cmd.exe	109
PID 4824 wrote to memory of 2248	4824	cmd.exe	109

C:\Users\Admin\AppData\Local\Temp\f0d1f4d083d1ee6308977f33f9998b8a7c780278351b2e679d13d281e91a62a4.exe
"C:\Users\Admin\AppData\Local\Temp\f0d1f4d083d1ee6308977f33f9998b8a7c780278351b2e679d13d281e91a62a4.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y
  2⤵
  PID:4992
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\f0d1f4d083d1ee6308977f33f9998b8a7c780278351b2e679d13d281e91a62a4.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\f0d1f4d083d1ee6308977f33f9998b8a7c780278351b2e679d13d281e91a62a4.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4544
- C:\Users\Admin\AppData\Local\Temp\signtool.exe
  "C:\Users\Admin\AppData\Local\Temp\signtool.exe" verify /v /ph /sha1 648384a4dee53d4c1c87e10d67cc99307ccc9c98 "C:\Users\Admin\AppData\Local\Temp\f0d1f4d083d1ee6308977f33f9998b8a7c780278351b2e679d13d281e91a62a4.exe"
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c wmic path Win32_NetworkAdapter get ServiceName /value /FORMAT:List
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_NetworkAdapter get ServiceName /value /FORMAT:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1896
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\Temp\KMSAuto_Files"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\Temp\KMSAuto_Files"
    3⤵
    PID:2860
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjPatcher.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3384
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjPatcher.exe"
    3⤵
    PID:3628
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjHook.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjHook.dll"
    3⤵
    PID:2248

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\signtool.exe

Filesize
323KB

MD5
05624e6d27eaef0db0673ae627bd6027

SHA1
b155c76bf59992a8d75d0e3a59dc94f24aff2591

SHA256
962a92821f54a1e706aa989973130fdc1072c7bd8b9e6d11ea1050b46eb9d313

SHA512
233304669aefeec9ad5d19bd2dd5bb19ea35ce31da0b3aabe5ab859259608a58725fac5993637c9635e5912138d3eb477773351f0ee81cc3ce756d713163cf31

Download Submit
memory/4304-0-0x0000000000400000-0x0000000000A38000-memory.dmp

Filesize
6.2MB

Download
memory/4304-8-0x0000000000400000-0x0000000000A38000-memory.dmp

Filesize
6.2MB

Download
memory/4304-9-0x0000000000400000-0x0000000000A38000-memory.dmp

Filesize
6.2MB

Download
memory/4304-10-0x0000000000400000-0x0000000000A38000-memory.dmp

Filesize
6.2MB

Download
memory/4304-12-0x0000000000400000-0x0000000000A38000-memory.dmp

Filesize
6.2MB

Download
memory/4304-15-0x0000000000400000-0x0000000000A38000-memory.dmp

Filesize
6.2MB

Download
memory/4304-17-0x0000000000400000-0x0000000000A38000-memory.dmp

Filesize
6.2MB

Download