55005aceec6939133327c0cc3924880e7fde2fd785174e529e78425ea11aa0a7

Analysis

max time kernel
151s
max time network
167s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55005aceec6939133327c0cc3924880e7fde2fd785174e529e78425ea11aa0a7.exe
Size

2.4MB
MD5

cdba0f463c3c17cb03b3469c0cebbcdf
SHA1

ed3d05d4a1833d6bc4fc2514dd6b1ca6f49581bd
SHA256

55005aceec6939133327c0cc3924880e7fde2fd785174e529e78425ea11aa0a7
SHA512

f7bd544ed1325cb3754e9cbc3de0cb3c7a634157d780fc86956f292ec9d463f5afe0bf187c9235b69fc058eef2a4baf3791cc03f9e37b26c76bedc33eaaf24f4
SSDEEP

49152:is5SkP2lS1mdM03aT1PcXPwh11sXIAyT9tN93p:B5SQrWM03o1wPs1sByTJ

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2692	cmd.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2244-0-0x0000000000F00000-0x000000000103C000-memory.dmp	upx
behavioral1/memory/2244-30-0x0000000000F00000-0x000000000103C000-memory.dmp	upx
behavioral1/memory/2244-32-0x0000000000F00000-0x000000000103C000-memory.dmp	upx
behavioral1/memory/2244-39-0x0000000000F00000-0x000000000103C000-memory.dmp	upx

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsShell21825.log	SystemPropertiesProtection.exe
File opened for modification	C:\Windows\WindowTerminalVaild12.log	SystemPropertiesProtection.exe
File opened for modification	C:\Windows\WindowMicrosoftNET08.log	SystemPropertiesProtection.exe
File opened for modification	C:\Windows\WindowsShell6822.log	55005aceec6939133327c0cc3924880e7fde2fd785174e529e78425ea11aa0a7.exe
File opened for modification	C:\Windows\WindowSystemNewUpdate761.log	SystemPropertiesProtection.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2416	2796	WerFault.exe	35

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2244	55005aceec6939133327c0cc3924880e7fde2fd785174e529e78425ea11aa0a7.exe
Token: SeDebugPrivilege	3020	SystemPropertiesProtection.exe
Token: SeIncBasePriorityPrivilege	2244	55005aceec6939133327c0cc3924880e7fde2fd785174e529e78425ea11aa0a7.exe
Token: SeDebugPrivilege	3020	SystemPropertiesProtection.exe
Token: SeDebugPrivilege	3020	SystemPropertiesProtection.exe
Token: SeDebugPrivilege	3020	SystemPropertiesProtection.exe
Token: SeDebugPrivilege	3020	SystemPropertiesProtection.exe
Token: SeDebugPrivilege	3020	SystemPropertiesProtection.exe
Token: SeDebugPrivilege	3020	SystemPropertiesProtection.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 3020	2244	55005aceec6939133327c0cc3924880e7fde2fd785174e529e78425ea11aa0a7.exe	28
PID 2244 wrote to memory of 3020	2244	55005aceec6939133327c0cc3924880e7fde2fd785174e529e78425ea11aa0a7.exe	28
PID 2244 wrote to memory of 3020	2244	55005aceec6939133327c0cc3924880e7fde2fd785174e529e78425ea11aa0a7.exe	28
PID 2244 wrote to memory of 3020	2244	55005aceec6939133327c0cc3924880e7fde2fd785174e529e78425ea11aa0a7.exe	28
PID 2244 wrote to memory of 3020	2244	55005aceec6939133327c0cc3924880e7fde2fd785174e529e78425ea11aa0a7.exe	28
PID 2244 wrote to memory of 3020	2244	55005aceec6939133327c0cc3924880e7fde2fd785174e529e78425ea11aa0a7.exe	28
PID 2244 wrote to memory of 3020	2244	55005aceec6939133327c0cc3924880e7fde2fd785174e529e78425ea11aa0a7.exe	28
PID 2244 wrote to memory of 2692	2244	55005aceec6939133327c0cc3924880e7fde2fd785174e529e78425ea11aa0a7.exe	29
PID 2244 wrote to memory of 2692	2244	55005aceec6939133327c0cc3924880e7fde2fd785174e529e78425ea11aa0a7.exe	29
PID 2244 wrote to memory of 2692	2244	55005aceec6939133327c0cc3924880e7fde2fd785174e529e78425ea11aa0a7.exe	29
PID 2244 wrote to memory of 2692	2244	55005aceec6939133327c0cc3924880e7fde2fd785174e529e78425ea11aa0a7.exe	29
PID 3020 wrote to memory of 568	3020	SystemPropertiesProtection.exe	33
PID 3020 wrote to memory of 568	3020	SystemPropertiesProtection.exe	33
PID 3020 wrote to memory of 568	3020	SystemPropertiesProtection.exe	33
PID 3020 wrote to memory of 568	3020	SystemPropertiesProtection.exe	33
PID 3020 wrote to memory of 568	3020	SystemPropertiesProtection.exe	33
PID 3020 wrote to memory of 568	3020	SystemPropertiesProtection.exe	33
PID 3020 wrote to memory of 568	3020	SystemPropertiesProtection.exe	33
PID 568 wrote to memory of 2796	568	HOSTNAME.EXE	35
PID 568 wrote to memory of 2796	568	HOSTNAME.EXE	35
PID 568 wrote to memory of 2796	568	HOSTNAME.EXE	35
PID 568 wrote to memory of 2796	568	HOSTNAME.EXE	35
PID 3020 wrote to memory of 2796	3020	SystemPropertiesProtection.exe	35
PID 3020 wrote to memory of 2796	3020	SystemPropertiesProtection.exe	35
PID 3020 wrote to memory of 2796	3020	SystemPropertiesProtection.exe	35
PID 2796 wrote to memory of 2416	2796	DeviceProperties.exe	36
PID 2796 wrote to memory of 2416	2796	DeviceProperties.exe	36
PID 2796 wrote to memory of 2416	2796	DeviceProperties.exe	36
PID 2796 wrote to memory of 2416	2796	DeviceProperties.exe	36

C:\Users\Admin\AppData\Local\Temp\55005aceec6939133327c0cc3924880e7fde2fd785174e529e78425ea11aa0a7.exe
"C:\Users\Admin\AppData\Local\Temp\55005aceec6939133327c0cc3924880e7fde2fd785174e529e78425ea11aa0a7.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\SysWOW64\SystemPropertiesProtection.exe
  "C:\Windows\SysWOW64\SystemPropertiesProtection.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\HOSTNAME.EXE
    "C:\Windows\SysWOW64\HOSTNAME.EXE"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Windows\SysWOW64\DeviceProperties.exe
      "C:\Windows\SysWOW64\DeviceProperties.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 96
        5⤵
        Program crash
        
        PID:2416
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\55005A~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\WindowSystemNewUpdate761.log

Filesize
6KB

MD5
026b77013fa6bf3abf2c106736c89fc1

SHA1
de312e361d6d002785092dd2caeff3d17effd71f

SHA256
3b695875e1172f7d7b0a6a9594d5f7f8217e51716957e2f4c70e60a4aa87c597

SHA512
01fa10f5b74c2eb476bb24369728cea5508084c54a97f3e54094c953a265c9e6b749e20ecbcaef496050274ee05676f8426589bff627493a7193b64506f4f668

Download Submit
memory/568-142-0x00000000000C0000-0x00000000000E4000-memory.dmp

Filesize
144KB

Download
memory/568-122-0x0000000000080000-0x000000000009F000-memory.dmp

Filesize
124KB

Download
memory/568-123-0x00000000000C0000-0x00000000000E4000-memory.dmp

Filesize
144KB

Download
memory/2244-0-0x0000000000F00000-0x000000000103C000-memory.dmp

Filesize
1.2MB

Download
memory/2244-39-0x0000000000F00000-0x000000000103C000-memory.dmp

Filesize
1.2MB

Download
memory/2244-32-0x0000000000F00000-0x000000000103C000-memory.dmp

Filesize
1.2MB

Download
memory/2244-30-0x0000000000F00000-0x000000000103C000-memory.dmp

Filesize
1.2MB

Download
memory/2796-154-0x0000000000420000-0x0000000000A24000-memory.dmp

Filesize
6.0MB

Download
memory/3020-24-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3020-48-0x0000000003160000-0x0000000003259000-memory.dmp

Filesize
996KB

Download
memory/3020-20-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3020-26-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3020-27-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3020-28-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3020-12-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3020-11-0x0000000000160000-0x000000000017B000-memory.dmp

Filesize
108KB

Download
memory/3020-35-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3020-34-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3020-36-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3020-37-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3020-38-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3020-10-0x0000000000160000-0x000000000017B000-memory.dmp

Filesize
108KB

Download
memory/3020-40-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3020-41-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3020-43-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3020-45-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3020-47-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3020-22-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3020-56-0x0000000003160000-0x0000000003259000-memory.dmp

Filesize
996KB

Download
memory/3020-59-0x0000000003160000-0x0000000003259000-memory.dmp

Filesize
996KB

Download
memory/3020-60-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3020-62-0x00000000039B0000-0x0000000003E9B000-memory.dmp

Filesize
4.9MB

Download
memory/3020-69-0x0000000003160000-0x0000000003259000-memory.dmp

Filesize
996KB

Download
memory/3020-70-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3020-73-0x00000000007C0000-0x00000000007F8000-memory.dmp

Filesize
224KB

Download
memory/3020-81-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/3020-84-0x0000000003820000-0x0000000003887000-memory.dmp

Filesize
412KB

Download
memory/3020-8-0x0000000000160000-0x000000000017B000-memory.dmp

Filesize
108KB

Download
memory/3020-5-0x0000000000200000-0x000000000030D000-memory.dmp

Filesize
1.1MB

Download
memory/3020-4-0x0000000000200000-0x000000000030D000-memory.dmp

Filesize
1.1MB

Download
memory/3020-145-0x0000000003160000-0x0000000003259000-memory.dmp

Filesize
996KB

Download
memory/3020-3-0x0000000000200000-0x000000000030D000-memory.dmp

Filesize
1.1MB

Download
memory/3020-2-0x0000000000200000-0x000000000030D000-memory.dmp

Filesize
1.1MB

Download
memory/3020-209-0x0000000009940000-0x0000000009CC3000-memory.dmp

Filesize
3.5MB

Download
memory/3020-213-0x0000000009940000-0x0000000009CC3000-memory.dmp

Filesize
3.5MB

Download