83174d98d25823f54699213c387f5cbec17493831608b924960e9276b147069c

Analysis

max time kernel
1650s
max time network
1710s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
15-11-2023 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ScreenPayload.exe
Size

1.0MB
MD5

1582506eba3220fdc1dc9254f7732c88
SHA1

80223f24b3edafd6723fe2000c3dfde614b2c941
SHA256

83174d98d25823f54699213c387f5cbec17493831608b924960e9276b147069c
SHA512

60cd1f0940818a6761efb002ac299755fd14324f068a606dd2fe19dc22d2476481a8c6d75999dd2b223917f9d2aba97b0598d2445de568c1b8b675aca0d6540c
SSDEEP

24576:qryL/PmBUqgdqt3qDYM9HFIm2BKX3yjCcy:qsmgdqt32lIm2BKX3Wx

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3068	PixelateScrn.exe

Loads dropped DLL 3 IoCs

pid	Process
2332	cmd.exe
3068	PixelateScrn.exe
3068	PixelateScrn.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2220-0-0x0000000000400000-0x0000000000518000-memory.dmp	upx
behavioral1/memory/2220-22-0x0000000000400000-0x0000000000518000-memory.dmp	upx

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2332	2220	ScreenPayload.exe	29
PID 2220 wrote to memory of 2332	2220	ScreenPayload.exe	29
PID 2220 wrote to memory of 2332	2220	ScreenPayload.exe	29
PID 2220 wrote to memory of 2332	2220	ScreenPayload.exe	29
PID 2332 wrote to memory of 3068	2332	cmd.exe	30
PID 2332 wrote to memory of 3068	2332	cmd.exe	30
PID 2332 wrote to memory of 3068	2332	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\ScreenPayload.exe
"C:\Users\Admin\AppData\Local\Temp\ScreenPayload.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\588C.tmp\588D.tmp\588E.bat C:\Users\Admin\AppData\Local\Temp\ScreenPayload.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Users\Admin\AppData\Local\Temp\PixelateScrn.exe
    PixelateScrn
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3068

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\588C.tmp\588D.tmp\588E.bat

Filesize
30B

MD5
d1713c63e86e160d2a94cc8ef320715e

SHA1
c145c63b9cdab0a5fbdfd893215c0104ba9df97f

SHA256
95ed71eae4e96071889f84aa429b6761f20d5478c373b7dc37ac0ebd3d1d2945

SHA512
5db424d66f075c647dc15245e7609b7fa8e7ebbe95191c6d2e74bb7afddb9717dfc2da0ea560d3d73d2736aa009a6583139baac0c4305b0f02698761d52bff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PixelateScrn.exe

Filesize
61KB

MD5
36615e65dcf875918732ff799462893b

SHA1
7fa4f9618d095b3430229d07fa1239912a805851

SHA256
e5773d0edfd572b7e5fa0f049b6bccb6022d77e37cf5bf5393d8e9cf45c12c8f

SHA512
aab184d01819615db9be8ce4138dbce7efbda1199806fe6b40ca5d5572b13608855c62b24d815bfbfae0f2134e47bbf6ae4db75e795464c677ee56333578661b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCRUNTIME140D.dll

Filesize
171KB

MD5
6d47ca15e34ce5b3cd1a436226885aaa

SHA1
33825aec7b88b94ff2926ae367375fc814071b01

SHA256
f31a44b466c4b6a11f104fd75c221bed775f8db2a6bb2a0d48409fa906a10e9e

SHA512
587b467c052fe2cf7a6a59cd813b984f89510d68a6b8510497478bdd176e3d7d796e81acd13fb1ff52fa5a0bb0ac804c7a87bed01883252b1bfde0a4e5221426

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucrtbased.dll

Filesize
2.1MB

MD5
e628baf3be74ffe67e71a27ca3865156

SHA1
05b75dee03400aea8812b9342e764e909667ebbd

SHA256
b9921954681ceb3f01a03071f87aaa33116e0ab0a1532309dced36a0085471b7

SHA512
d5e1a61bb98e35a996cf1d465bc6b922a0aac7d35713852dac43ec54cd34240dcf31d1843c4eed45c251dcde44399b7af1e0262c140577f148b3b706669cfd8e

Download Submit
\Users\Admin\AppData\Local\Temp\PixelateScrn.exe

Filesize
61KB

MD5
36615e65dcf875918732ff799462893b

SHA1
7fa4f9618d095b3430229d07fa1239912a805851

SHA256
e5773d0edfd572b7e5fa0f049b6bccb6022d77e37cf5bf5393d8e9cf45c12c8f

SHA512
aab184d01819615db9be8ce4138dbce7efbda1199806fe6b40ca5d5572b13608855c62b24d815bfbfae0f2134e47bbf6ae4db75e795464c677ee56333578661b

Download Submit
\Users\Admin\AppData\Local\Temp\ucrtbased.dll

Filesize
2.1MB

MD5
e628baf3be74ffe67e71a27ca3865156

SHA1
05b75dee03400aea8812b9342e764e909667ebbd

SHA256
b9921954681ceb3f01a03071f87aaa33116e0ab0a1532309dced36a0085471b7

SHA512
d5e1a61bb98e35a996cf1d465bc6b922a0aac7d35713852dac43ec54cd34240dcf31d1843c4eed45c251dcde44399b7af1e0262c140577f148b3b706669cfd8e

Download Submit
\Users\Admin\AppData\Local\Temp\vcruntime140d.dll

Filesize
171KB

MD5
6d47ca15e34ce5b3cd1a436226885aaa

SHA1
33825aec7b88b94ff2926ae367375fc814071b01

SHA256
f31a44b466c4b6a11f104fd75c221bed775f8db2a6bb2a0d48409fa906a10e9e

SHA512
587b467c052fe2cf7a6a59cd813b984f89510d68a6b8510497478bdd176e3d7d796e81acd13fb1ff52fa5a0bb0ac804c7a87bed01883252b1bfde0a4e5221426

Download Submit
memory/2220-0-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2220-22-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2332-16-0x000000013F8E0000-0x000000013F906000-memory.dmp

Filesize
152KB

Download
memory/2332-23-0x000000013F8E0000-0x000000013F906000-memory.dmp

Filesize
152KB

Download
memory/3068-21-0x000000013F8E0000-0x000000013F906000-memory.dmp

Filesize
152KB

Download
memory/3068-24-0x000000013F8E0000-0x000000013F906000-memory.dmp

Filesize
152KB

Download