9a549bae48b81fb49e013e0dd9c9b2a57e1a6cb1bb244eecd52e0f039bd48a6d

Analysis

max time kernel
149s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 05:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09664c8bf38c097939b07dfcaea9e398.exe
Size

1.8MB
MD5

09664c8bf38c097939b07dfcaea9e398
SHA1

9227c26a31a7399f91b371f1f3060e4bf5f77843
SHA256

9a549bae48b81fb49e013e0dd9c9b2a57e1a6cb1bb244eecd52e0f039bd48a6d
SHA512

3c6fa73922132769116f99dcd5d2527cb01867cf5f94b1bbd2ba8e04e279895919c8496542e2bd426c4a6bd8c02a7cb2f1af7075fcfdd4dfedf0e82d2a4a211b
SSDEEP

24576:S6pQPxQ2JyP2r5mJV91xM7RpbwgIvs7NxqUkHa:SCqm2Jpr0nNM7Dus7Nx26

Score

7^/10

upx

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/392-0-0x0000000000400000-0x00000000005BA000-memory.dmp	upx
behavioral2/files/0x00010000000228ac-5.dat	upx
behavioral2/memory/392-3569-0x0000000000400000-0x00000000005BA000-memory.dmp	upx
behavioral2/files/0x0001000000021a20-8750.dat	upx
behavioral2/files/0x0001000000021a20-8752.dat	upx
behavioral2/files/0x0001000000021a20-8751.dat	upx
behavioral2/files/0x00010000000215b5-8755.dat	upx
behavioral2/files/0x00010000000215b5-8754.dat	upx
behavioral2/files/0x00010000000215b5-8753.dat	upx
behavioral2/memory/392-11181-0x0000000000400000-0x00000000005BA000-memory.dmp	upx

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	09664c8bf38c097939b07dfcaea9e398.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\tzmappings	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui.exe	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-200.png	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.ServiceModel.Http.dll.exe	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\swscale-5_ms.dll.exe	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_altform-unplated_contrast-white.png.exe	09664c8bf38c097939b07dfcaea9e398.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-phn.xrm-ms	09664c8bf38c097939b07dfcaea9e398.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\osm.x-none.msi.16.x-none.tree.dat	09664c8bf38c097939b07dfcaea9e398.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\PREVIEW.GIF	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Heart.png.exe	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupSmallTile.scale-100.png	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80_altform-unplated.png	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-16.png.exe	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ppd.xrm-ms.exe	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderSplashScreen.contrast-black_scale-125.png	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Spiral.png	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-256.png	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\NoteToolbox-dark.png	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\resources.pri	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml.exe	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-oob.xrm-ms.exe	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.dll.exe	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libinflate_plugin.dll.exe	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Threading.Timer.dll	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_contrast-black.png	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_contrast-white.png.exe	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x	09664c8bf38c097939b07dfcaea9e398.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri-Cambria.xml	09664c8bf38c097939b07dfcaea9e398.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ppd.xrm-ms	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ul-oob.xrm-ms.exe	09664c8bf38c097939b07dfcaea9e398.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DocumentFormat.OpenXml.dll	09664c8bf38c097939b07dfcaea9e398.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libcc_plugin.dll	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui.exe	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ppd.xrm-ms.exe	09664c8bf38c097939b07dfcaea9e398.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ppd.xrm-ms	09664c8bf38c097939b07dfcaea9e398.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ul-oob.xrm-ms	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT.exe	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll.exe	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\6.png	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square71x71Logo.scale-125.png.exe	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_01.jpg	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\RedAndBlackReport.dotx.exe	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-core-localization-l1-2-0.dll.exe	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsMedTile.contrast-white_scale-125.png.exe	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\VALoading.png.exe	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageWideTile.scale-150.png.exe	09664c8bf38c097939b07dfcaea9e398.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-phn.xrm-ms	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe.exe	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp5.scale-125.png	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\cancelled.slk	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-80_contrast-black.png.exe	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_targetsize-256.png	09664c8bf38c097939b07dfcaea9e398.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-pl.xrm-ms	09664c8bf38c097939b07dfcaea9e398.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\mscss7es.dll	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.dll.exe	09664c8bf38c097939b07dfcaea9e398.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libflacsys_plugin.dll	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.scale-125.png.exe	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageLargeTile.scale-125.png.exe	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupLargeTile.scale-125.png	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-16.png.exe	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\Microsoft Office\root\Office16\VCCORLIB140_APP.DLL.exe	09664c8bf38c097939b07dfcaea9e398.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\COPYING.txt	09664c8bf38c097939b07dfcaea9e398.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.RichMedia.Ink.dll	09664c8bf38c097939b07dfcaea9e398.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll	09664c8bf38c097939b07dfcaea9e398.exe

C:\Users\Admin\AppData\Local\Temp\09664c8bf38c097939b07dfcaea9e398.exe
"C:\Users\Admin\AppData\Local\Temp\09664c8bf38c097939b07dfcaea9e398.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:392

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip32.dll

Filesize
384KB

MD5
2f7fcfd9590f1c2eac2dfac5ab60feea

SHA1
9ea2c49f8c43e4226cc28d54fe8d288e2dd09245

SHA256
3648bc100863acbafe570772da8fc754321493aacb5436d9bddb2095af088762

SHA512
0bc32ce41388dc44a4659ba9e508e1686855971b940d8651b487971d45a81e667ed7adaac6b44705740fd63889f02b8aa4950bc226d46819c053dd7c20803e1b

Download Submit
C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

Filesize
128KB

MD5
b80af532f6e6d4d12703a4e8ed504695

SHA1
d63834b8ab0721446859412e44c21619d25916c5

SHA256
f1ca31d15965d9fcb2eb7e1a8fcf1e7704239a93c0561bbd64687f459f1795e3

SHA512
caec111ce9607fcfb377c2c85a3583dac71f587ca99d3cd9d7b7fb5ffac87d0133c4a2aa189b08ad834f116e8c3583aa374d15a8ce1e571da930aa36dacd6d9a

Download Submit
C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

Filesize
136KB

MD5
14fb3689cd7f4f285ce42c8937e6824b

SHA1
ef3ab2754eb696effb5ce55ccd3277a65beb9e6d

SHA256
f6fd9adb2231c9b95a6713675ddce17dd076f8f916fa5556e76a23e4ea6c5757

SHA512
ab7506eb1a051fab97bfbb60c759da1127fad611767f780b28d3d5ed7b277bc1e5a7d34207d62522894843e806fab7505d35509f2987b9960bc14bccd98380db

Download Submit
C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

Filesize
64KB

MD5
2bbebb4ae5ec4524323a2a6514d02eb0

SHA1
d3725c6102312d36da5a9d2b3c931f89a607e81a

SHA256
9a2127a891b447292adce248eef70ee502be1b5768a03ae9807f7a51b22d414f

SHA512
5c3dfb69941f344adc59c14bff696c10fcdc90f04c978336592a962b23508741abb962b5ca5130092aa719113a7e2efc45a15dc395d8ffe08a3a5896af23c031

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
321KB

MD5
d0b81aa0218289a0c4513522a8ff4cd3

SHA1
6a2f9202bf5237e070ab7387374bd775f17a30dd

SHA256
5739fb12e387eeb2e77c3edf313bee0f0edf158cd9b46a62cd3e76b07d558242

SHA512
04cab636e644faaeafb59785775b2ed42d243746813cd9b2480549b8d311388b42f9f7d181869ff3ce6a775a761c506079f5e73d3f2f7f411bba5ac02c400238

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
193KB

MD5
0621706209c5dc29f5b2d1bf787148e2

SHA1
70089d5f37eb4c86bf851eae8395c02cea3dec07

SHA256
3603951b11ec09aca5c01eed38b928bfd1facbc5bd550dfb2a02389a0931b68e

SHA512
3bbed54bf713b0aa1a7188fdcce748b1f9235553061a4ab78c6d8f0d574fea9297980d97d13e7b39019897cd6f0e4bb4e9175416e383f7b89038fa221bb4e284

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
143KB

MD5
7dfa3cbad44744d90d1c1ff46bc51fcf

SHA1
c56f014766001faa6d10e1a5c4ce4ab4f4bad31f

SHA256
0e4d79551adfe6e686dc0c4797d042ceda59a3985d21a5a88b5bfc88df535dff

SHA512
21e2a76bd2b23a679e7780e62f2de10d49ebd31a6c8ff5f5e8fe4d4ebd85b16945eaae0be022c3607c24c59770022cb4e381e9d50872292c4e47d629bf891a94

Download Submit
memory/392-0-0x0000000000400000-0x00000000005BA000-memory.dmp

Filesize
1.7MB

Download
memory/392-3569-0x0000000000400000-0x00000000005BA000-memory.dmp

Filesize
1.7MB

Download
memory/392-11181-0x0000000000400000-0x00000000005BA000-memory.dmp

Filesize
1.7MB

Download