d69add02e336e196157e69a565a292cd50ed897929c61e93d72d9568c986d0cc

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02-10-2023 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe
Size

1.9MB
MD5

ffa310b27b30b8e34804c662bc12209d
SHA1

fe163143f202248d11620be9d22a6c22e461554e
SHA256

62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908
SHA512

64370a3743ba3dce3a80fff5fb672c9e060053892a89697efed0d8c3a34c6e98b52458b7c87df60ba0f0428a869bfbe62b9930d477198d8b4b4c93d525e0caef
SSDEEP

49152:RZAD1ebUi9l1fvs52TPXxVWtFbrnryxuBGu:7AD1e11fvvJcPn5G

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2744	sg.tmp
2792	FileShred.exe

Loads dropped DLL 6 IoCs

pid	Process
2108	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe
2108	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe
2792	FileShred.exe
2792	FileShred.exe
2792	FileShred.exe
2792	FileShred.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2108-0-0x0000000000400000-0x0000000000576000-memory.dmp	upx
behavioral1/memory/2588-8-0x0000000000400000-0x0000000000576000-memory.dmp	upx
behavioral1/memory/2108-46-0x0000000000400000-0x0000000000576000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeBackupPrivilege	2108	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe
Token: SeRestorePrivilege	2108	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe
Token: 33	2108	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe
Token: SeIncBasePriorityPrivilege	2108	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe
Token: 33	2108	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe
Token: SeIncBasePriorityPrivilege	2108	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe
Token: 33	2108	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe
Token: SeIncBasePriorityPrivilege	2108	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe
Token: SeBackupPrivilege	2588	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe
Token: SeRestorePrivilege	2588	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe
Token: 33	2588	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe
Token: SeIncBasePriorityPrivilege	2588	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe
Token: 33	2108	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe
Token: SeIncBasePriorityPrivilege	2108	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe
Token: SeRestorePrivilege	2744	sg.tmp
Token: 35	2744	sg.tmp
Token: SeSecurityPrivilege	2744	sg.tmp
Token: SeSecurityPrivilege	2744	sg.tmp
Token: 33	2108	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe
Token: SeIncBasePriorityPrivilege	2108	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe
Token: SeDebugPrivilege	2792	FileShred.exe
Token: SeRestorePrivilege	2792	FileShred.exe
Token: SeBackupPrivilege	2792	FileShred.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2116	2108	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe	29
PID 2108 wrote to memory of 2116	2108	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe	29
PID 2108 wrote to memory of 2116	2108	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe	29
PID 2108 wrote to memory of 2116	2108	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe	29
PID 2108 wrote to memory of 2588	2108	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe	31
PID 2108 wrote to memory of 2588	2108	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe	31
PID 2108 wrote to memory of 2588	2108	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe	31
PID 2108 wrote to memory of 2588	2108	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe	31
PID 2108 wrote to memory of 2744	2108	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe	32
PID 2108 wrote to memory of 2744	2108	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe	32
PID 2108 wrote to memory of 2744	2108	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe	32
PID 2108 wrote to memory of 2744	2108	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe	32
PID 2108 wrote to memory of 2792	2108	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe	34
PID 2108 wrote to memory of 2792	2108	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe	34
PID 2108 wrote to memory of 2792	2108	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe	34
PID 2108 wrote to memory of 2792	2108	62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe	34

C:\Users\Admin\AppData\Local\Temp\62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe
"C:\Users\Admin\AppData\Local\Temp\62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\system32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:2116
- C:\Users\Admin\AppData\Local\Temp\62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe
  PECMD**pecmd-cmd* PUTF -dd -skipb=1014784 -len=957584 "C:\Users\Admin\AppData\Local\Temp\~6812502272236073781.tmp",,C:\Users\Admin\AppData\Local\Temp\62151bc8b9e9e3fd9683977f9b76ad4b94bb24c1bcecc7d81e0804a4daebf908.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Users\Admin\AppData\Local\Temp\~2436869790458244705~\sg.tmp
  7zG_exe x "C:\Users\Admin\AppData\Local\Temp\~6812502272236073781.tmp" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~6751561541952145796"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Users\Admin\AppData\Local\Temp\~6751561541952145796\FileShred.exe
  "C:\Users\Admin\AppData\Local\Temp\~6751561541952145796\FileShred.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~2436869790458244705~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6751561541952145796\DuiLib.dll

Filesize
1018KB

MD5
30b72b930076879f20b6a74b4f470318

SHA1
4ea9232bbcbc794b069feed0861600f9fb7ffe90

SHA256
77c9f2f56f0643b895dea5fc1aa27fb7500250ce77456da3c3f718eb7c9173ad

SHA512
cc0c7525c0cb348a80d4fe920ef2eb64ca3bbceb3ed26d8390a52757e4e92f9527d087206284a7755bc7736b20361ef9e4ab0f1449efde1614d629881da246c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6751561541952145796\FileShred.exe

Filesize
646KB

MD5
cfa9044d319e27a28df4fdb80d73df05

SHA1
45cff8fe678359927391e85a07de7eb6472ef8a7

SHA256
66cc81b0a655e6cb12bfb6cf4663993a2491cb651fed8e195e27400cc8dae0f3

SHA512
d80103f1dabc1ac4d2628b9444f474fd49a362eb40dc6693a5a45e9e17d3904c077fdc454500fadeb8b79ed02ef9415f755267e9244209e3852f090bca82af54

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6751561541952145796\FileShred.exe

Filesize
646KB

MD5
cfa9044d319e27a28df4fdb80d73df05

SHA1
45cff8fe678359927391e85a07de7eb6472ef8a7

SHA256
66cc81b0a655e6cb12bfb6cf4663993a2491cb651fed8e195e27400cc8dae0f3

SHA512
d80103f1dabc1ac4d2628b9444f474fd49a362eb40dc6693a5a45e9e17d3904c077fdc454500fadeb8b79ed02ef9415f755267e9244209e3852f090bca82af54

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6751561541952145796\FileShred.ui

Filesize
260KB

MD5
b5eb4bc6422f0c38bea8c6ee9d183018

SHA1
af06ee46945df1af0e7ea561b164d34b16318eb1

SHA256
713d4c0ab9d66deac1f25eff0a6d416ff78204fbeb47a3e0e10bddf486269db2

SHA512
a74902ba2116b90bdf2849202f6b5c4ecbf335b0e477e517e13ca854b6ae88251f9bf578428bd90f4f7affc29f8f3c99757690d5aae1af7ed50dbb30e89b85e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6751561541952145796\libxsse.dll

Filesize
852KB

MD5
4837175bbcd34f195b2bc6fe765e8d24

SHA1
4d393d7d3bb79d481fd67b11f2ea612dbb7f2860

SHA256
ce2025a6459e9798d072098717afb24a6e3e8f3cc5a498be163806d5a8fab065

SHA512
fea558d6357bfdd5b9a40e62e523aef3ebbcb1ca2aab7cfc514a2f762dfa15786e6b78786ebdbe99108309020cfc63cece2c28a61ae2b332928fce68b7321721

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6751561541952145796\uactmon.dll

Filesize
378KB

MD5
d4326674640b3d3d50d5b0033eb9c2ea

SHA1
9b15f61a8df5a82fc951b00939a864c8dced6f4b

SHA256
4ed3b68bd8e50033296aac21e5170fc09f9a46ced3670826962ff90de5f6e455

SHA512
89499ba8efc0cef7af3d3a8ebcc63f4cb7650fb12563330b478efd0c1c57c5110efeda23fe628bcf559a7dbfdab12762d57ad7c417720a10ac1bd1ea5c768256

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6751561541952145796\usysdiag.dll

Filesize
539KB

MD5
78360321b745500e84e459461c4a44e0

SHA1
47a112f26b508b97d30ef1008f03d4bc1db78993

SHA256
6bd529de5582140b3761cb162a21c8d50ff5e1600a20abd39a458a9da1b59de4

SHA512
c4618e83fffd056c70599f75c2af644921ff34986744eb8a6d776f7b4dc23af3128528bfa85fbe096063bb9177cc173faf6fcb795a65e1ef572e61ba50c8b0d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6812502272236073781.tmp

Filesize
935KB

MD5
071aade771bfd202d37f65c23f811a15

SHA1
9e230564a689827b2c5b5e2b373fe80fd6b14eca

SHA256
b37b042b305c0351a673119ec1a3bde8520fba434feb5fc87e9bd33c3cb74956

SHA512
3faa4ccd3b3dfa62c538858059d7673548fa44d7470863fc398caec0beca4b1de09a51f68e212cb85338ff12469324aeea6b592a20a916fd6db8d32399ac617d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6812502272236073781.tmp

Filesize
935KB

MD5
57a151f5b34d27fa3e32dfb0b3c42d09

SHA1
bb1a93e08bb5145914939d042d652bc7872b6075

SHA256
5b6309c327884ea04d11d960a64f31a778db57072a5e516c2c9396bd6783e3ef

SHA512
71c4b8d626fbc22894d3992959e0412a1ce39bdf8078f7da5d1436e019b5e99fa2898ecfe9725e925264073037b59705ee6b386d7e3d8db1c62806cdcd73a84c

Download Submit
\Users\Admin\AppData\Local\Temp\~2436869790458244705~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
\Users\Admin\AppData\Local\Temp\~6751561541952145796\DuiLib.dll

Filesize
1018KB

MD5
30b72b930076879f20b6a74b4f470318

SHA1
4ea9232bbcbc794b069feed0861600f9fb7ffe90

SHA256
77c9f2f56f0643b895dea5fc1aa27fb7500250ce77456da3c3f718eb7c9173ad

SHA512
cc0c7525c0cb348a80d4fe920ef2eb64ca3bbceb3ed26d8390a52757e4e92f9527d087206284a7755bc7736b20361ef9e4ab0f1449efde1614d629881da246c2

Download Submit
\Users\Admin\AppData\Local\Temp\~6751561541952145796\FileShred.exe

Filesize
646KB

MD5
cfa9044d319e27a28df4fdb80d73df05

SHA1
45cff8fe678359927391e85a07de7eb6472ef8a7

SHA256
66cc81b0a655e6cb12bfb6cf4663993a2491cb651fed8e195e27400cc8dae0f3

SHA512
d80103f1dabc1ac4d2628b9444f474fd49a362eb40dc6693a5a45e9e17d3904c077fdc454500fadeb8b79ed02ef9415f755267e9244209e3852f090bca82af54

Download Submit
\Users\Admin\AppData\Local\Temp\~6751561541952145796\libxsse.dll

Filesize
852KB

MD5
4837175bbcd34f195b2bc6fe765e8d24

SHA1
4d393d7d3bb79d481fd67b11f2ea612dbb7f2860

SHA256
ce2025a6459e9798d072098717afb24a6e3e8f3cc5a498be163806d5a8fab065

SHA512
fea558d6357bfdd5b9a40e62e523aef3ebbcb1ca2aab7cfc514a2f762dfa15786e6b78786ebdbe99108309020cfc63cece2c28a61ae2b332928fce68b7321721

Download Submit
\Users\Admin\AppData\Local\Temp\~6751561541952145796\uactmon.dll

Filesize
378KB

MD5
d4326674640b3d3d50d5b0033eb9c2ea

SHA1
9b15f61a8df5a82fc951b00939a864c8dced6f4b

SHA256
4ed3b68bd8e50033296aac21e5170fc09f9a46ced3670826962ff90de5f6e455

SHA512
89499ba8efc0cef7af3d3a8ebcc63f4cb7650fb12563330b478efd0c1c57c5110efeda23fe628bcf559a7dbfdab12762d57ad7c417720a10ac1bd1ea5c768256

Download Submit
\Users\Admin\AppData\Local\Temp\~6751561541952145796\usysdiag.dll

Filesize
539KB

MD5
78360321b745500e84e459461c4a44e0

SHA1
47a112f26b508b97d30ef1008f03d4bc1db78993

SHA256
6bd529de5582140b3761cb162a21c8d50ff5e1600a20abd39a458a9da1b59de4

SHA512
c4618e83fffd056c70599f75c2af644921ff34986744eb8a6d776f7b4dc23af3128528bfa85fbe096063bb9177cc173faf6fcb795a65e1ef572e61ba50c8b0d5

Download Submit
memory/2108-0-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/2108-46-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/2108-47-0x0000000002710000-0x0000000002886000-memory.dmp

Filesize
1.5MB

Download
memory/2588-8-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/2792-45-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2792-49-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download