7b91dd58c36ad48162b4a0b5ca909993653b449eab3927f432b72532b35c7bc0

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13cb738a49a976852b3660073c208b7d.exe
Size

635KB
MD5

13cb738a49a976852b3660073c208b7d
SHA1

76e4323156c8672f33c2c205bfbe93e720ac1046
SHA256

7b91dd58c36ad48162b4a0b5ca909993653b449eab3927f432b72532b35c7bc0
SHA512

6383e7e0bdffa92bc01245380dab39a31ce27058c0cdf336ced3bc43334a5f6c3d3e93d117b3f8ac52b04b496ba1ce18199f789f1aa83bcf1ef6c111278af9f5
SSDEEP

12288:rUCtKeLADIxJ9rKU3PCH9Eq+0BbSox1Q9:rvtRLADIxJ9rKU3PCHPb92

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\TXP1atform.exe	13cb738a49a976852b3660073c208b7d.exe
File created	C:\Windows\SysWOW64\drivers\TXP1atform.exe	13cb738a49a976852b3660073c208b7d.exe

Executes dropped EXE 2 IoCs

pid	Process
2840	TXP1atform.exe
320	13cb738a49a976852b3660073c208b7d.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4848-0-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral2/files/0x0007000000023201-7.dat	upx
behavioral2/files/0x0007000000023201-6.dat	upx
behavioral2/memory/4848-10-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral2/memory/2840-9-0x0000000000400000-0x000000000044D000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4848	13cb738a49a976852b3660073c208b7d.exe
4848	13cb738a49a976852b3660073c208b7d.exe
2840	TXP1atform.exe
2840	TXP1atform.exe
2840	TXP1atform.exe
2840	TXP1atform.exe
2840	TXP1atform.exe
2840	TXP1atform.exe
2840	TXP1atform.exe
2840	TXP1atform.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
320	13cb738a49a976852b3660073c208b7d.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 1876	4848	13cb738a49a976852b3660073c208b7d.exe	92
PID 4848 wrote to memory of 1876	4848	13cb738a49a976852b3660073c208b7d.exe	92
PID 4848 wrote to memory of 1876	4848	13cb738a49a976852b3660073c208b7d.exe	92
PID 4848 wrote to memory of 2840	4848	13cb738a49a976852b3660073c208b7d.exe	94
PID 4848 wrote to memory of 2840	4848	13cb738a49a976852b3660073c208b7d.exe	94
PID 4848 wrote to memory of 2840	4848	13cb738a49a976852b3660073c208b7d.exe	94
PID 1876 wrote to memory of 320	1876	cmd.exe	95
PID 1876 wrote to memory of 320	1876	cmd.exe	95
PID 1876 wrote to memory of 320	1876	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\13cb738a49a976852b3660073c208b7d.exe
"C:\Users\Admin\AppData\Local\Temp\13cb738a49a976852b3660073c208b7d.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2$$.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Users\Admin\AppData\Local\Temp\13cb738a49a976852b3660073c208b7d.exe
    "C:\Users\Admin\AppData\Local\Temp\13cb738a49a976852b3660073c208b7d.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:320
- C:\Windows\SysWOW64\drivers\TXP1atform.exe
  C:\Windows\system32\drivers\TXP1atform.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\13cb738a49a976852b3660073c208b7d.exe

Filesize
149KB

MD5
b84bb461dac0f93a6541de1e013baca5

SHA1
4efb878ebae251fbb4112fd57662923be484541b

SHA256
aff04bfe4985d35fc92384d8d166beb487d826ec294d4002f4e45ffa32b5d060

SHA512
9555dc5425dfb87f71a5e6c02c1d5987a64759ac29dd370fe0d0462883acef589347aa5de3c464731b8f2eaa8cad14cb3531193b2b086f6f02105d40d09b0de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\13cb738a49a976852b3660073c208b7d.exe.exe

Filesize
126KB

MD5
6b86d4d14125762d3953df7e6c4f7d83

SHA1
917f74d782381c5dd91f6376882575c268758037

SHA256
1d3888a8a9b98b14ed9978cc8da0367d451ea65ae6677149587d824a7ef25459

SHA512
629117f63c139bb63380edd15bf6e99407940e1d29696c4ac3417c58aee46e49b9c1f14701a4dc5d0a8bbbfc2a5d457cd59c1975451443bae02d61360f20c498

Download Submit
C:\Users\Admin\AppData\Local\Temp\2$$.bat

Filesize
485B

MD5
ab95197cfabb3971842ad1bd61396c1d

SHA1
e7441799eb29371fadcce9838431b5ae63db0e51

SHA256
387a36c6317fb4865b6f4a29faafdb10320bc52ee1b849f66a130914a8b3e484

SHA512
875810c492998624e0c2357a8af432456701d97fbe28a7e229a34250e5a7baef140e12088bbca4fe0e49bd464733ecec8a8098e47658791cea6fa079f28177d2

Download Submit
C:\Windows\SysWOW64\drivers\TXP1atform.exe

Filesize
188KB

MD5
d1f0d890f302dc65ccb9a19bf5754a1e

SHA1
c51c0cf11ebd88d178069e45fd90ea87f59afee8

SHA256
de207fb23d4042b937437bbb001633341f202f6886d52e5d621767d325ab8a56

SHA512
9ebf5a00bbe39746c60b584dda429bbf62738824ad3839e65dc1a6af640dcd55464658787fba5ee72c8ec767aa16ade1afab601527eef487015b3ad2f064e298

Download Submit
C:\Windows\SysWOW64\drivers\TXP1atform.exe

Filesize
187KB

MD5
ce39445044e4e811c7291cd3735fce34

SHA1
4dad8fe336af8681688264dd97186af00b29be63

SHA256
d1361104b63c2c6f5c13cf2062223b0688a2541ae55de8c7ec13d9057bf6bb83

SHA512
4d798ccec84b37c9674c52bc2ddb8ee40119544942efdc819b317018a62c84c498e8210c018b31ed3b5796dbbe2eb63685bd4d44711ae892f0fccfd64ebc4f64

Download Submit
memory/2840-9-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4848-0-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4848-10-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download