780d0c227787b3c4fab20a7aed4930d020513e502ac58d98033b26a2effea28b

Analysis

max time kernel
161s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02e0214956f466660eef564a02eccad1.exe
Size

56KB
MD5

02e0214956f466660eef564a02eccad1
SHA1

e9c9eff6511283d22263c444ea6d46446a722dfa
SHA256

780d0c227787b3c4fab20a7aed4930d020513e502ac58d98033b26a2effea28b
SHA512

c3ef963aab9e93d3a673d873842a14f46a54b5c7920783870e461d558418b877e6d03fc227a4cf7ffc5b4cefc89f93b6baf00d249656e2b61117fdd7ab3db7b6
SSDEEP

1536:X223o0RyuxGY+avVkkD0qIGqjTFDGf9avt2I8Gn5wY6BqA:X22Y4V+a9kfqI5fF09Et2G5w3v

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2828	Au_.exe

Loads dropped DLL 3 IoCs

pid	Process
2828	Au_.exe
2828	Au_.exe
2828	Au_.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3748-0-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral2/memory/3748-3-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral2/files/0x0006000000023226-6.dat	upx
behavioral2/memory/2828-9-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral2/memory/3748-8-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral2/memory/2828-93-0x0000000000400000-0x0000000000436000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3748 wrote to memory of 2828	3748	02e0214956f466660eef564a02eccad1.exe	91
PID 3748 wrote to memory of 2828	3748	02e0214956f466660eef564a02eccad1.exe	91
PID 3748 wrote to memory of 2828	3748	02e0214956f466660eef564a02eccad1.exe	91

C:\Users\Admin\AppData\Local\Temp\02e0214956f466660eef564a02eccad1.exe
"C:\Users\Admin\AppData\Local\Temp\02e0214956f466660eef564a02eccad1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nspEADF.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspEADF.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspEADF.tmp\ioSpecial.ini

Filesize
658B

MD5
29170bbf975aa871e99f501e8e93b4d0

SHA1
d489b79ac1c42d2cd6613c71732d1be1ad47c56a

SHA256
efaa3122e2f05c3d1c8ced7a60b150ea8f1acabbe62536dbff180e6a5fee2c58

SHA512
ef679f6ddc583f91f2078f2a474f30b5e47817cb307a7769bf3f2af19035e934b4831967499f65ca5c1b81916ebc0ba69e03262ad9ea1e1af3544e6df928f6a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
56KB

MD5
02e0214956f466660eef564a02eccad1

SHA1
e9c9eff6511283d22263c444ea6d46446a722dfa

SHA256
780d0c227787b3c4fab20a7aed4930d020513e502ac58d98033b26a2effea28b

SHA512
c3ef963aab9e93d3a673d873842a14f46a54b5c7920783870e461d558418b877e6d03fc227a4cf7ffc5b4cefc89f93b6baf00d249656e2b61117fdd7ab3db7b6

Download Submit
memory/2828-9-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2828-93-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3748-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3748-3-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3748-8-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download