94f6f4514b0c15b6d9478ed6ac9017cfd1ce329e00851041f22400997f94ad7e

Analysis

max time kernel
1651s
max time network
1704s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
15/11/2023, 20:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ScreenPayload.exe
Size

1.0MB
MD5

16a285cafcfe08d6d2b20950dbab196f
SHA1

0cf9bffe24670bc7e76e0edb33d4d346e73b9206
SHA256

94f6f4514b0c15b6d9478ed6ac9017cfd1ce329e00851041f22400997f94ad7e
SHA512

31784e634c79ac8ee7e8c87c949c982418f094536c8a30a0d1ac85588b4c4cccfae669a44414e449f8bddd12610a00cca1ab0c43c5b7ad180576d78a6e07e61a
SSDEEP

24576:/G+gy7tIZ+E3kpgfqxoTPy8KKK0zpdjDvAaZFnKa:/P8+EOgyWTD/NjKa

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1300	PixelateScrn.exe

Loads dropped DLL 6 IoCs

pid	Process
2332	cmd.exe
2572	Process not Found
1300	PixelateScrn.exe
1300	PixelateScrn.exe
1300	PixelateScrn.exe
1300	PixelateScrn.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1620-0-0x0000000000400000-0x0000000000518000-memory.dmp	upx
behavioral1/memory/1620-27-0x0000000000400000-0x0000000000518000-memory.dmp	upx

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2332	1620	ScreenPayload.exe	29
PID 1620 wrote to memory of 2332	1620	ScreenPayload.exe	29
PID 1620 wrote to memory of 2332	1620	ScreenPayload.exe	29
PID 1620 wrote to memory of 2332	1620	ScreenPayload.exe	29
PID 2332 wrote to memory of 1300	2332	cmd.exe	30
PID 2332 wrote to memory of 1300	2332	cmd.exe	30
PID 2332 wrote to memory of 1300	2332	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\ScreenPayload.exe
"C:\Users\Admin\AppData\Local\Temp\ScreenPayload.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4395.tmp\4396.tmp\4397.bat C:\Users\Admin\AppData\Local\Temp\ScreenPayload.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Users\Admin\AppData\Local\Temp\PixelateScrn.exe
    PixelateScrn
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4395.tmp\4396.tmp\4397.bat

Filesize
36B

MD5
a465cc130cd7807f4260161ada5db562

SHA1
8ea4aa1a01d250ee32d3391c9ab5bb8e8c5e81d9

SHA256
70fb176b76ffdb3edb91c716d9e81aeeb1eec1e8a18fed2b9b4703e82f7068d0

SHA512
661a08b0bb23826e94f7856b15f6a5e16d5ec106764d2f1a52d43a3b713d5115c0c81bc5063803493e43afa259919a5cc183cd3be96ecdd4e06b49a3e545f42d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSVCP140D.dll

Filesize
898KB

MD5
f83746b98014aa2374a79758dafdf409

SHA1
0520b6ec402963b015ae060b225f30d41a88ab05

SHA256
e1118fc5ca6a4bcfca0dcbf7b4705bbea6b7155fd58442dc870a61a866bb413d

SHA512
ee0604705c92a2b605986a2263c4d342fcfe8b002c0fcf634d5a52d811e5b2d00cef80f579c0d44e291ea15a3048bf384fe0dba9222160c736987c90b7c5edff

Download Submit
C:\Users\Admin\AppData\Local\Temp\PixelateScrn.exe

Filesize
77KB

MD5
fcb5bfbbe034e91efaeb06d646e478c9

SHA1
bb44c1377075082c2ad5ee4979800bb422730e59

SHA256
f0286fc86269f9d5a0c5c762e69460d43827bfb9cea44a07ba8749520539ce79

SHA512
9053a1a7c0a90f42afdfc3bd1ffe0720169008c0ff4f4f8427c882a05d9cbfcda810dd520d0767985010afd03a35b368af971183df3505c8477d53ea3a76232a

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCRUNTIME140D.dll

Filesize
171KB

MD5
6d47ca15e34ce5b3cd1a436226885aaa

SHA1
33825aec7b88b94ff2926ae367375fc814071b01

SHA256
f31a44b466c4b6a11f104fd75c221bed775f8db2a6bb2a0d48409fa906a10e9e

SHA512
587b467c052fe2cf7a6a59cd813b984f89510d68a6b8510497478bdd176e3d7d796e81acd13fb1ff52fa5a0bb0ac804c7a87bed01883252b1bfde0a4e5221426

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCRUNTIME140_1D.dll

Filesize
62KB

MD5
aa51acf42986f844d36e4e7807f13239

SHA1
6284203a35fe0459204fc67d1cc4ec6b329a4ed0

SHA256
41dd9842b8ba31009ee80c0b382dc2136923d6077767b5fe35dfacce0634c5bc

SHA512
b724fac28a36b005c4a21dee9fd181bb85eced1c03903cbd81f04822f4adcd95042db7c58ba6e7c92c901f6a33c902ecd9dbeaec4c08c6a7ffd9e2ad57bc5e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucrtbased.dll

Filesize
2.1MB

MD5
e628baf3be74ffe67e71a27ca3865156

SHA1
05b75dee03400aea8812b9342e764e909667ebbd

SHA256
b9921954681ceb3f01a03071f87aaa33116e0ab0a1532309dced36a0085471b7

SHA512
d5e1a61bb98e35a996cf1d465bc6b922a0aac7d35713852dac43ec54cd34240dcf31d1843c4eed45c251dcde44399b7af1e0262c140577f148b3b706669cfd8e

Download Submit
\Users\Admin\AppData\Local\Temp\PixelateScrn.exe

Filesize
77KB

MD5
fcb5bfbbe034e91efaeb06d646e478c9

SHA1
bb44c1377075082c2ad5ee4979800bb422730e59

SHA256
f0286fc86269f9d5a0c5c762e69460d43827bfb9cea44a07ba8749520539ce79

SHA512
9053a1a7c0a90f42afdfc3bd1ffe0720169008c0ff4f4f8427c882a05d9cbfcda810dd520d0767985010afd03a35b368af971183df3505c8477d53ea3a76232a

Download Submit
\Users\Admin\AppData\Local\Temp\PixelateScrn.exe

Filesize
77KB

MD5
fcb5bfbbe034e91efaeb06d646e478c9

SHA1
bb44c1377075082c2ad5ee4979800bb422730e59

SHA256
f0286fc86269f9d5a0c5c762e69460d43827bfb9cea44a07ba8749520539ce79

SHA512
9053a1a7c0a90f42afdfc3bd1ffe0720169008c0ff4f4f8427c882a05d9cbfcda810dd520d0767985010afd03a35b368af971183df3505c8477d53ea3a76232a

Download Submit
\Users\Admin\AppData\Local\Temp\msvcp140d.dll

Filesize
898KB

MD5
f83746b98014aa2374a79758dafdf409

SHA1
0520b6ec402963b015ae060b225f30d41a88ab05

SHA256
e1118fc5ca6a4bcfca0dcbf7b4705bbea6b7155fd58442dc870a61a866bb413d

SHA512
ee0604705c92a2b605986a2263c4d342fcfe8b002c0fcf634d5a52d811e5b2d00cef80f579c0d44e291ea15a3048bf384fe0dba9222160c736987c90b7c5edff

Download Submit
\Users\Admin\AppData\Local\Temp\ucrtbased.dll

Filesize
2.1MB

MD5
e628baf3be74ffe67e71a27ca3865156

SHA1
05b75dee03400aea8812b9342e764e909667ebbd

SHA256
b9921954681ceb3f01a03071f87aaa33116e0ab0a1532309dced36a0085471b7

SHA512
d5e1a61bb98e35a996cf1d465bc6b922a0aac7d35713852dac43ec54cd34240dcf31d1843c4eed45c251dcde44399b7af1e0262c140577f148b3b706669cfd8e

Download Submit
\Users\Admin\AppData\Local\Temp\vcruntime140_1d.dll

Filesize
62KB

MD5
aa51acf42986f844d36e4e7807f13239

SHA1
6284203a35fe0459204fc67d1cc4ec6b329a4ed0

SHA256
41dd9842b8ba31009ee80c0b382dc2136923d6077767b5fe35dfacce0634c5bc

SHA512
b724fac28a36b005c4a21dee9fd181bb85eced1c03903cbd81f04822f4adcd95042db7c58ba6e7c92c901f6a33c902ecd9dbeaec4c08c6a7ffd9e2ad57bc5e71

Download Submit
\Users\Admin\AppData\Local\Temp\vcruntime140d.dll

Filesize
171KB

MD5
6d47ca15e34ce5b3cd1a436226885aaa

SHA1
33825aec7b88b94ff2926ae367375fc814071b01

SHA256
f31a44b466c4b6a11f104fd75c221bed775f8db2a6bb2a0d48409fa906a10e9e

SHA512
587b467c052fe2cf7a6a59cd813b984f89510d68a6b8510497478bdd176e3d7d796e81acd13fb1ff52fa5a0bb0ac804c7a87bed01883252b1bfde0a4e5221426

Download Submit
memory/1300-17-0x000000013F150000-0x000000013F17A000-memory.dmp

Filesize
168KB

Download
memory/1300-29-0x000000013F150000-0x000000013F17A000-memory.dmp

Filesize
168KB

Download
memory/1620-0-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/1620-27-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2332-15-0x000000013F150000-0x000000013F17A000-memory.dmp

Filesize
168KB

Download
memory/2332-28-0x000000013F150000-0x000000013F17A000-memory.dmp

Filesize
168KB

Download