e50cccf1f6d70da378206adb1cde3dcae2b39b083eeebeccec33b6d0612d3b35

Analysis

max time kernel
142s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-12-2023 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49c4c1a468e992460e0c3dd2923c1a0f.exe
Size

31KB
MD5

49c4c1a468e992460e0c3dd2923c1a0f
SHA1

04c274592110d41b2bf0bfbe5e7dc5d50b2e4275
SHA256

e50cccf1f6d70da378206adb1cde3dcae2b39b083eeebeccec33b6d0612d3b35
SHA512

40c089a76893b31fff8bd5923fa8b34e2eaa7474f98e536ff4d82782da8bf4e80a9afa4b653782bca726c065575695c98bfaae173aa8dc88548594217d3954b6
SSDEEP

768:WWH6E4y5Uiy1SssZqdoadXFrC8EBXbuLRCShkc:WWH6E4y58SsskdoadXZH6bVc

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2352	ukyfact.exe

Loads dropped DLL 2 IoCs

pid	Process
2208	49c4c1a468e992460e0c3dd2923c1a0f.exe
2208	49c4c1a468e992460e0c3dd2923c1a0f.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2208-0-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/files/0x000c000000013a35-4.dat	upx
behavioral1/memory/2208-10-0x0000000001D30000-0x0000000001D52000-memory.dmp	upx
behavioral1/memory/2352-13-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2352	2208	49c4c1a468e992460e0c3dd2923c1a0f.exe	28
PID 2208 wrote to memory of 2352	2208	49c4c1a468e992460e0c3dd2923c1a0f.exe	28
PID 2208 wrote to memory of 2352	2208	49c4c1a468e992460e0c3dd2923c1a0f.exe	28
PID 2208 wrote to memory of 2352	2208	49c4c1a468e992460e0c3dd2923c1a0f.exe	28

C:\Users\Admin\AppData\Local\Temp\49c4c1a468e992460e0c3dd2923c1a0f.exe
"C:\Users\Admin\AppData\Local\Temp\49c4c1a468e992460e0c3dd2923c1a0f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\ukyfact.exe
  "C:\Users\Admin\AppData\Local\Temp\ukyfact.exe"
  2⤵
  - Executes dropped EXE
  PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\ukyfact.exe

Filesize
31KB

MD5
757d1995735e6b4879d9334eae030641

SHA1
66c036ae6a11ba3b9c10c3b0d6efb29488233198

SHA256
3c660660aac4915166699f48563672fb02e17647d7c26fa67dc5d4f0119e1158

SHA512
0d7b69bf7866dcdf8879602c6a9d8d62160f236819710853d60ab500c304db1367a2280ed9f2b684a1bb519b77edbe2aaff44afc483bce148e47686ea2f5a3bf

Download Submit
memory/2208-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2208-1-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2208-10-0x0000000001D30000-0x0000000001D52000-memory.dmp

Filesize
136KB

Download
memory/2352-13-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2352-14-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download