c02be5be5647268690f66f01f4e93c6f23b3aa654517668062dccadbbd64db16

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ByPassBehinder.exe
Size

653KB
MD5

04caea5648786157fb65dd51d2bc061e
SHA1

78fa45360b195da7e963c3c7b71513d7a5ad25c7
SHA256

c02be5be5647268690f66f01f4e93c6f23b3aa654517668062dccadbbd64db16
SHA512

e5f2c39e5ca3b0b95ebddd034c9ea035e76a59752d6dc9045f3c5dd38a89f52ee469ac43e4413e76382ba2735ef2592a2fe16c0f29d17e2e7473de3f71be4c0e
SSDEEP

12288:MQkecmjxNBVMDoh5plMbBdV0aSpu+q6rNvectRjsjzETmoh:Mx4KDoLnYBdK4+qWN3tRyzah

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4572-0-0x00007FF649300000-0x00007FF649385000-memory.dmp	upx
behavioral2/memory/4572-16-0x00007FF649300000-0x00007FF649385000-memory.dmp	upx
behavioral2/memory/4572-32-0x00007FF649300000-0x00007FF649385000-memory.dmp	upx

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4692	svchost.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 2752	4572	ByPassBehinder.exe	87
PID 4572 wrote to memory of 2752	4572	ByPassBehinder.exe	87

C:\Users\Admin\AppData\Local\Temp\ByPassBehinder.exe
"C:\Users\Admin\AppData\Local\Temp\ByPassBehinder.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4572
- \??\c:\PROGRA~1\java\JRE18~1.0_6\bin\java.exe
  "c:\PROGRA~1\java\JRE18~1.0_6\bin\java.exe" -version
  2⤵
  PID:2752

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:2968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
72eb694239410752f1366e2a1c658528

SHA1
45c64121ee5175c10b77cd272fa5e5e464b26ac2

SHA256
5380a576587d6a0cd648ce5508483afb026e79d0b9a1e684a34f37287859b432

SHA512
38da341a8f5358df2273b1b88ab0cccae5061c757c33f34ad6f82bfa88d55843d40f85e23f24fe7c427813341e314955f8dd867abb16a843041074f324806462

Download Submit
memory/2752-8-0x0000000002860000-0x0000000003860000-memory.dmp

Filesize
16.0MB

Download
memory/2752-15-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/4572-32-0x00007FF649300000-0x00007FF649385000-memory.dmp

Filesize
532KB

Download
memory/4572-16-0x00007FF649300000-0x00007FF649385000-memory.dmp

Filesize
532KB

Download
memory/4572-23-0x0000000002670000-0x0000000003670000-memory.dmp

Filesize
16.0MB

Download
memory/4572-0-0x00007FF649300000-0x00007FF649385000-memory.dmp

Filesize
532KB

Download
memory/4572-33-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/4572-36-0x0000000002670000-0x0000000003670000-memory.dmp

Filesize
16.0MB

Download
memory/4692-48-0x00000251E5B50000-0x00000251E5B60000-memory.dmp

Filesize
64KB

Download
memory/4692-64-0x00000251E5C50000-0x00000251E5C60000-memory.dmp

Filesize
64KB

Download
memory/4692-80-0x00000251EDFC0000-0x00000251EDFC1000-memory.dmp

Filesize
4KB

Download
memory/4692-82-0x00000251EDFF0000-0x00000251EDFF1000-memory.dmp

Filesize
4KB

Download
memory/4692-83-0x00000251EDFF0000-0x00000251EDFF1000-memory.dmp

Filesize
4KB

Download
memory/4692-84-0x00000251EE100000-0x00000251EE101000-memory.dmp

Filesize
4KB

Download