20ba3ad626dca31c666bfff0ff3d1d2cf71b664383cb7c775b7f4a9725989b89

Analysis

max time kernel
0s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bfb30639d02336395de9a01866d63b0.exe
Size

425KB
MD5

1bfb30639d02336395de9a01866d63b0
SHA1

6f1139516c8b5a7fd8a36fcfcc52d0e93fa15111
SHA256

20ba3ad626dca31c666bfff0ff3d1d2cf71b664383cb7c775b7f4a9725989b89
SHA512

2bced330d656d43ecbb89fc13e42cac77c125ce1f879f2e80f5032d02755da15ab70e99fe789b66d980dc72ec235e906ffc0734e07551aef291290da03871ed1
SSDEEP

1536:2TJjMefFvUW9jjaZoSbdD2DDo/wwyI5GM0M7eSB3/OizN+jsgevhWqLegb0hp:utMeN8W9jLS5D2g/Ry6GSB33Fge5ySo

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2608	winlogon.exe
2692	winlogon.exe

Loads dropped DLL 3 IoCs

pid	Process
2740	1bfb30639d02336395de9a01866d63b0.exe
2740	1bfb30639d02336395de9a01866d63b0.exe
2608	winlogon.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2740-15-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2608-31-0x0000000000400000-0x0000000000437000-memory.dmp	upx
behavioral1/memory/2692-50-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2740-35-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2468-56-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2468-55-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2468-52-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2740-22-0x00000000028E0000-0x0000000002917000-memory.dmp	upx
behavioral1/memory/2740-14-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2740-13-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2548-12-0x0000000000400000-0x0000000000437000-memory.dmp	upx
behavioral1/memory/2740-10-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2740-6-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2740-4-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2548-0-0x0000000000400000-0x0000000000437000-memory.dmp	upx
behavioral1/memory/2692-115-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2468-573-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2468-1315-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2468-1720-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2468-2326-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2468-2985-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2468-3613-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2468-4218-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2468-4831-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2468-7020-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2468-7238-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2468-7252-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2468-7279-0x0000000000400000-0x0000000000443000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2548 set thread context of 2740	2548	1bfb30639d02336395de9a01866d63b0.exe	16
PID 2608 set thread context of 2692	2608	winlogon.exe	17

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2740	1bfb30639d02336395de9a01866d63b0.exe
2692	winlogon.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 3020	2548	1bfb30639d02336395de9a01866d63b0.exe	21
PID 2548 wrote to memory of 3020	2548	1bfb30639d02336395de9a01866d63b0.exe	21
PID 2548 wrote to memory of 3020	2548	1bfb30639d02336395de9a01866d63b0.exe	21
PID 2548 wrote to memory of 3020	2548	1bfb30639d02336395de9a01866d63b0.exe	21
PID 2548 wrote to memory of 2740	2548	1bfb30639d02336395de9a01866d63b0.exe	16
PID 2548 wrote to memory of 2740	2548	1bfb30639d02336395de9a01866d63b0.exe	16
PID 2548 wrote to memory of 2740	2548	1bfb30639d02336395de9a01866d63b0.exe	16
PID 2548 wrote to memory of 2740	2548	1bfb30639d02336395de9a01866d63b0.exe	16
PID 2548 wrote to memory of 2740	2548	1bfb30639d02336395de9a01866d63b0.exe	16
PID 2548 wrote to memory of 2740	2548	1bfb30639d02336395de9a01866d63b0.exe	16
PID 2548 wrote to memory of 2740	2548	1bfb30639d02336395de9a01866d63b0.exe	16
PID 2548 wrote to memory of 2740	2548	1bfb30639d02336395de9a01866d63b0.exe	16
PID 2740 wrote to memory of 2608	2740	1bfb30639d02336395de9a01866d63b0.exe	20
PID 2740 wrote to memory of 2608	2740	1bfb30639d02336395de9a01866d63b0.exe	20
PID 2740 wrote to memory of 2608	2740	1bfb30639d02336395de9a01866d63b0.exe	20
PID 2740 wrote to memory of 2608	2740	1bfb30639d02336395de9a01866d63b0.exe	20
PID 2608 wrote to memory of 2688	2608	winlogon.exe	18
PID 2608 wrote to memory of 2688	2608	winlogon.exe	18
PID 2608 wrote to memory of 2688	2608	winlogon.exe	18
PID 2608 wrote to memory of 2688	2608	winlogon.exe	18
PID 2608 wrote to memory of 2692	2608	winlogon.exe	17
PID 2608 wrote to memory of 2692	2608	winlogon.exe	17
PID 2608 wrote to memory of 2692	2608	winlogon.exe	17
PID 2608 wrote to memory of 2692	2608	winlogon.exe	17
PID 2608 wrote to memory of 2692	2608	winlogon.exe	17
PID 2608 wrote to memory of 2692	2608	winlogon.exe	17
PID 2608 wrote to memory of 2692	2608	winlogon.exe	17
PID 2608 wrote to memory of 2692	2608	winlogon.exe	17

C:\Users\Admin\AppData\Local\Temp\1bfb30639d02336395de9a01866d63b0.exe
"C:\Users\Admin\AppData\Local\Temp\1bfb30639d02336395de9a01866d63b0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\1bfb30639d02336395de9a01866d63b0.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Admin\E696D64614\winlogon.exe
    "C:\Users\Admin\E696D64614\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2608
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\\svchost.exe
  2⤵
  PID:3020

C:\Users\Admin\E696D64614\winlogon.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2692
- C:\Users\Admin\E696D64614\winlogon.exe
  "C:\Users\Admin\E696D64614\winlogon.exe"
  2⤵
  PID:2468

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\\svchost.exe
1⤵
PID:2688

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2200

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
PID:1600
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1600 CREDAT:275457 /prefetch:2
  2⤵
  PID:2568
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1600 CREDAT:209931 /prefetch:2
  2⤵
  PID:1432
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1600 CREDAT:3814419 /prefetch:2
  2⤵
  PID:1372
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1600 CREDAT:4011039 /prefetch:2
  2⤵
  PID:3012
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1600 CREDAT:3421232 /prefetch:2
  2⤵
  PID:1968
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1600 CREDAT:2176032 /prefetch:2
  2⤵
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8ae7858ccf9cd53cb411f20697b05115

SHA1
93b1f90bfcd3ae58042dd86db5f24c36fd71d142

SHA256
bd718aefe672c6105c342984402c7f364c368f3292e0da9eefb478504e11ff7a

SHA512
96b33f375d5c8452443f1a912ad44b5e0a0fe4617ba5853f1a4c81ef227f9b9b05a552a2edc2e2e822d145dbceb1ccc1e93ecbf233f230e3a0d5054e52a19a85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6b63230aa0ba7805ecbfa30f3e4c40c7

SHA1
255a0c744a84b72ee413afb5b15c8a0b2fea75f6

SHA256
7323eecece6a4a69352b4354d2c58df1e904a8291f46a4d862866eaf3fb19179

SHA512
d6af661862002eda87cf62d59b6745d14b87ffd20f59e193ad6b9fe750ce037614b564a2d1878ab60d593df4761c9283e35ac50600c74a4cbd5021924d21457b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\85MB95IY\http_404_webOC[1]

Filesize
6KB

MD5
92ab50175c4b03970f264c637c78febe

SHA1
b00fbe1169da972ba4a4a84871af9eca7479000a

SHA256
3926c545ae82fc264c98d6c229a8a0999e2b59ed2bb736f1bda9e2f89e0eeac8

SHA512
3311f118963ad1eaf1b9c7fb10b67280aae1ab38358aed77c10f2587100427af58c7d008abb46ad0f59880ac51e50b5a53fc2c2a96d70f5ece4578ab72382b7a

Download Submit
memory/2468-7020-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2468-7279-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2468-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2468-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2468-52-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2468-7238-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2468-7252-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2468-573-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2468-4832-0x0000000004370000-0x00000000053D2000-memory.dmp

Filesize
16.4MB

Download
memory/2468-4831-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2468-4218-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2468-3613-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2468-2985-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2468-2326-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2468-1720-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2468-1315-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2548-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2548-12-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2548-2-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2608-31-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2692-50-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2692-115-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2740-4-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2740-10-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2740-6-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2740-13-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2740-14-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2740-22-0x00000000028E0000-0x0000000002917000-memory.dmp

Filesize
220KB

Download
memory/2740-35-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2740-1-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2740-28-0x0000000000420000-0x0000000000450000-memory.dmp

Filesize
192KB

Download
memory/2740-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2740-15-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download