64dce65c95c68b6bbf1cc284e4da95ef7f3a9313275a1d3d89573bd5478e11e4

Analysis

max time kernel
139s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64dce65c95c68b6bbf1cc284e4da95ef7f3a9313275a1d3d89573bd5478e11e4.exe
Size

747KB
MD5

27df8d43c59f898e4d8700d02e7bd042
SHA1

df052c0afb5bfe3e6250894cc5f79f124ec096a9
SHA256

64dce65c95c68b6bbf1cc284e4da95ef7f3a9313275a1d3d89573bd5478e11e4
SHA512

6ec792d7578b5b07abf6e183a2e4ff51b04b4f06896346cc7b196372509ae63a8e042117c58ad6dd14c80952ce9cd5ba64db9ec899101e6a3c4c539e1f0151de
SSDEEP

12288:n0w8PAzNVDFyj+9wbYCVyXB2vJ/Vc2qbGWTiSGjqfNnzoxMvjxI/dhiejv48oS5a:n0w84zbDFyj+9wbYCVyXB2vJ/Vc2qGWT

Score

8^/10

persistence upx

Malware Config

Signatures

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\64dce65c95c68b6bbf1cc284e4da95ef7f3a9313275a1d3d89573bd5478e11e4.exe	64dce65c95c68b6bbf1cc284e4da95ef7f3a9313275a1d3d89573bd5478e11e4.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\64DCE65C95C68B6BBF1CC284E4DA95EF7F3A9313275A1D3D89573BD5478E11E4.EXE	64dce65c95c68b6bbf1cc284e4da95ef7f3a9313275a1d3d89573bd5478e11e4.exe

Loads dropped DLL 1 IoCs

pid	Process
3740	64dce65c95c68b6bbf1cc284e4da95ef7f3a9313275a1d3d89573bd5478e11e4.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3740-1-0x0000000002250000-0x000000000225B000-memory.dmp	upx
behavioral2/memory/3740-9-0x0000000002250000-0x000000000225B000-memory.dmp	upx

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\Desktop	64dce65c95c68b6bbf1cc284e4da95ef7f3a9313275a1d3d89573bd5478e11e4.exe
Key created	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\Desktop\LanguageConfiguration	64dce65c95c68b6bbf1cc284e4da95ef7f3a9313275a1d3d89573bd5478e11e4.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\CONTROL PANEL\DESKTOP\LANGUAGECONFIGURATION	64dce65c95c68b6bbf1cc284e4da95ef7f3a9313275a1d3d89573bd5478e11e4.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3740	64dce65c95c68b6bbf1cc284e4da95ef7f3a9313275a1d3d89573bd5478e11e4.exe
Token: SeBackupPrivilege	3740	64dce65c95c68b6bbf1cc284e4da95ef7f3a9313275a1d3d89573bd5478e11e4.exe
Token: SeRestorePrivilege	3740	64dce65c95c68b6bbf1cc284e4da95ef7f3a9313275a1d3d89573bd5478e11e4.exe

C:\Users\Admin\AppData\Local\Temp\64dce65c95c68b6bbf1cc284e4da95ef7f3a9313275a1d3d89573bd5478e11e4.exe
"C:\Users\Admin\AppData\Local\Temp\64dce65c95c68b6bbf1cc284e4da95ef7f3a9313275a1d3d89573bd5478e11e4.exe"
1⤵
- Sets file execution options in registry
- Loads dropped DLL
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
PID:3740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\E-Module\gzip.dll

Filesize
29KB

MD5
8b3591965f623b219c0c528153746cab

SHA1
020961494fa0e08779b7aacf4422269935354f7d

SHA256
97ea3d99cf21123bc1aec72f9ded6a51ac659830392adfefd424eb799ab0219e

SHA512
6e547197d160c9ec13cf2384add1bb6753276e3dab97d951adba9257d6bf999720635a7b9d94a5ca8b94bdda2f25f36c5938d126bc3e46a358e1fad072132351

Download Submit
memory/3740-1-0x0000000002250000-0x000000000225B000-memory.dmp

Filesize
44KB

Download
memory/3740-6-0x000000006F0C0000-0x000000006F0D0000-memory.dmp

Filesize
64KB

Download
memory/3740-7-0x00000000770D2000-0x00000000770D3000-memory.dmp

Filesize
4KB

Download
memory/3740-8-0x00000000770D3000-0x00000000770D4000-memory.dmp

Filesize
4KB

Download
memory/3740-9-0x0000000002250000-0x000000000225B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads