988c9d3092715390275958db6a2531f30b1fab02440f86163ec8ab040b67abb1

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
21-11-2023 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

988c9d3092715390275958db6a2531f30b1fab02440f86163ec8ab040b67abb1.exe
Size

972KB
MD5

35bbe59d2dce520b296d78e2f8669509
SHA1

fa796726d4b2e35b24cd0e9e2dfb2ab04cc10e91
SHA256

988c9d3092715390275958db6a2531f30b1fab02440f86163ec8ab040b67abb1
SHA512

0fd3f6550a25c112ce8e7b79836b94883ce41e72cbe731ef4323f40dd9f8ab171150f3dcdaf680e9c385d9f59a2c5a10808c94d2728f9fb28e4553e19c3d6f31
SSDEEP

24576:ZEF96C6BwkP2lsl8fEQemdM03zmT1P+cw0us+U+VCswUcswv4wl0rc3Ucswv4wEO:is5SkP2lS1mdM03aT1P+cw0us+U+VCsY

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2660	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2400-0-0x0000000000BF0000-0x0000000000D2C000-memory.dmp	upx
behavioral1/memory/2400-38-0x0000000000BF0000-0x0000000000D2C000-memory.dmp	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowTerminalVaild86.log	RMActivate.exe
File opened for modification	C:\Windows\WindowMicrosoftNET02.log	RMActivate.exe
File opened for modification	C:\Windows\WindowsShell56246.log	988c9d3092715390275958db6a2531f30b1fab02440f86163ec8ab040b67abb1.exe
File opened for modification	C:\Windows\WindowSystemNewUpdate688.log	RMActivate.exe
File opened for modification	C:\Windows\WindowSystemNewUpdate80.log	RMActivate.exe
File opened for modification	C:\Windows\WindowsShell7322006.log	RMActivate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2128	2960	WerFault.exe	35

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2400	988c9d3092715390275958db6a2531f30b1fab02440f86163ec8ab040b67abb1.exe
Token: SeDebugPrivilege	2676	RMActivate.exe
Token: SeIncBasePriorityPrivilege	2400	988c9d3092715390275958db6a2531f30b1fab02440f86163ec8ab040b67abb1.exe
Token: SeDebugPrivilege	2676	RMActivate.exe
Token: SeDebugPrivilege	2676	RMActivate.exe
Token: SeDebugPrivilege	2676	RMActivate.exe
Token: SeDebugPrivilege	2676	RMActivate.exe
Token: SeDebugPrivilege	2676	RMActivate.exe
Token: SeDebugPrivilege	2676	RMActivate.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2676	2400	988c9d3092715390275958db6a2531f30b1fab02440f86163ec8ab040b67abb1.exe	28
PID 2400 wrote to memory of 2676	2400	988c9d3092715390275958db6a2531f30b1fab02440f86163ec8ab040b67abb1.exe	28
PID 2400 wrote to memory of 2676	2400	988c9d3092715390275958db6a2531f30b1fab02440f86163ec8ab040b67abb1.exe	28
PID 2400 wrote to memory of 2676	2400	988c9d3092715390275958db6a2531f30b1fab02440f86163ec8ab040b67abb1.exe	28
PID 2400 wrote to memory of 2676	2400	988c9d3092715390275958db6a2531f30b1fab02440f86163ec8ab040b67abb1.exe	28
PID 2400 wrote to memory of 2676	2400	988c9d3092715390275958db6a2531f30b1fab02440f86163ec8ab040b67abb1.exe	28
PID 2400 wrote to memory of 2676	2400	988c9d3092715390275958db6a2531f30b1fab02440f86163ec8ab040b67abb1.exe	28
PID 2400 wrote to memory of 2660	2400	988c9d3092715390275958db6a2531f30b1fab02440f86163ec8ab040b67abb1.exe	30
PID 2400 wrote to memory of 2660	2400	988c9d3092715390275958db6a2531f30b1fab02440f86163ec8ab040b67abb1.exe	30
PID 2400 wrote to memory of 2660	2400	988c9d3092715390275958db6a2531f30b1fab02440f86163ec8ab040b67abb1.exe	30
PID 2400 wrote to memory of 2660	2400	988c9d3092715390275958db6a2531f30b1fab02440f86163ec8ab040b67abb1.exe	30
PID 2676 wrote to memory of 1252	2676	RMActivate.exe	34
PID 2676 wrote to memory of 1252	2676	RMActivate.exe	34
PID 2676 wrote to memory of 1252	2676	RMActivate.exe	34
PID 2676 wrote to memory of 1252	2676	RMActivate.exe	34
PID 2676 wrote to memory of 1252	2676	RMActivate.exe	34
PID 2676 wrote to memory of 1252	2676	RMActivate.exe	34
PID 2676 wrote to memory of 1252	2676	RMActivate.exe	34
PID 1252 wrote to memory of 2960	1252	isoburn.exe	35
PID 1252 wrote to memory of 2960	1252	isoburn.exe	35
PID 1252 wrote to memory of 2960	1252	isoburn.exe	35
PID 1252 wrote to memory of 2960	1252	isoburn.exe	35
PID 2676 wrote to memory of 2960	2676	RMActivate.exe	35
PID 2676 wrote to memory of 2960	2676	RMActivate.exe	35
PID 2676 wrote to memory of 2960	2676	RMActivate.exe	35
PID 2960 wrote to memory of 2128	2960	pcaui.exe	36
PID 2960 wrote to memory of 2128	2960	pcaui.exe	36
PID 2960 wrote to memory of 2128	2960	pcaui.exe	36
PID 2960 wrote to memory of 2128	2960	pcaui.exe	36

C:\Users\Admin\AppData\Local\Temp\988c9d3092715390275958db6a2531f30b1fab02440f86163ec8ab040b67abb1.exe
"C:\Users\Admin\AppData\Local\Temp\988c9d3092715390275958db6a2531f30b1fab02440f86163ec8ab040b67abb1.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\RMActivate.exe
  "C:\Windows\SysWOW64\RMActivate.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\isoburn.exe
    "C:\Windows\SysWOW64\isoburn.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Windows\SysWOW64\pcaui.exe
      "C:\Windows\SysWOW64\pcaui.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2960
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 64
        5⤵
        Program crash
        
        PID:2128
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\988C9D~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\WindowSystemNewUpdate688.log

Filesize
7KB

MD5
6b7c5b0c9ad8ced807a8c59e4f391f49

SHA1
ec96aeb397b5f1c59821cd804117b56a197cab8a

SHA256
91c20d89d4faab5540f8c5897f158bb31174cdbc408f0dbcbb3b322834b8e029

SHA512
5f6bb3b55e44ca48cf879c3e1f5564fa1cc7f4f10741de5ca8af717bd18d10b7de64e1482a281f175b39ccfe3d31446b260021c58f33c4437d91190569829c3b

Download Submit
memory/1252-165-0x0000000000180000-0x00000000001A4000-memory.dmp

Filesize
144KB

Download
memory/1252-107-0x0000000000180000-0x00000000001A4000-memory.dmp

Filesize
144KB

Download
memory/1252-102-0x0000000000080000-0x000000000009F000-memory.dmp

Filesize
124KB

Download
memory/1252-84-0x0000000000080000-0x000000000009F000-memory.dmp

Filesize
124KB

Download
memory/2400-38-0x0000000000BF0000-0x0000000000D2C000-memory.dmp

Filesize
1.2MB

Download
memory/2400-0-0x0000000000BF0000-0x0000000000D2C000-memory.dmp

Filesize
1.2MB

Download
memory/2676-42-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/2676-54-0x0000000003310000-0x000000000341F000-memory.dmp

Filesize
1.1MB

Download
memory/2676-24-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/2676-25-0x00000000000A0000-0x00000000000BB000-memory.dmp

Filesize
108KB

Download
memory/2676-26-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/2676-28-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/2676-29-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/2676-31-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/2676-32-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/2676-34-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/2676-35-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/2676-11-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/2676-39-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/2676-9-0x00000000000A0000-0x00000000000BB000-memory.dmp

Filesize
108KB

Download
memory/2676-43-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/2676-45-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/2676-46-0x0000000003310000-0x000000000341F000-memory.dmp

Filesize
1.1MB

Download
memory/2676-20-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/2676-56-0x0000000003310000-0x000000000341F000-memory.dmp

Filesize
1.1MB

Download
memory/2676-57-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/2676-60-0x00000000038E0000-0x0000000003DA2000-memory.dmp

Filesize
4.8MB

Download
memory/2676-59-0x0000000003310000-0x000000000341F000-memory.dmp

Filesize
1.1MB

Download
memory/2676-63-0x0000000003310000-0x000000000341F000-memory.dmp

Filesize
1.1MB

Download
memory/2676-69-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/2676-72-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/2676-74-0x00000000058F0000-0x0000000005C58000-memory.dmp

Filesize
3.4MB

Download
memory/2676-6-0x00000000000A0000-0x00000000000BB000-memory.dmp

Filesize
108KB

Download
memory/2676-82-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/2676-5-0x0000000000140000-0x000000000024D000-memory.dmp

Filesize
1.1MB

Download
memory/2676-4-0x0000000000140000-0x000000000024D000-memory.dmp

Filesize
1.1MB

Download
memory/2676-117-0x0000000006C10000-0x0000000006F52000-memory.dmp

Filesize
3.3MB

Download
memory/2676-3-0x0000000000140000-0x000000000024D000-memory.dmp

Filesize
1.1MB

Download
memory/2676-2-0x0000000000140000-0x000000000024D000-memory.dmp

Filesize
1.1MB

Download
memory/2960-166-0x0000000000190000-0x000000000075E000-memory.dmp

Filesize
5.8MB

Download