c0090221c93d5af867d6ea1f7039089b6df3dadae9b7eedd271dbbd02f10e09a

Analysis

max time kernel
146s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a9ec2dbcdb5d76a728419dfa865fa3b.exe
Size

1.8MB
MD5

1a9ec2dbcdb5d76a728419dfa865fa3b
SHA1

71a59231f854967a303a3139626a3d97c40a7b0a
SHA256

c0090221c93d5af867d6ea1f7039089b6df3dadae9b7eedd271dbbd02f10e09a
SHA512

72a0708f40eae3ed6a8cbcaec1dcafe5c9dee214e19f9eab92103ec58a919276b96a8835d78c7c09230374eeb6e4503f0f48c71470e788e6f1d39f9ab22ad65f
SSDEEP

24576:S6pQPxQ2JyP2r5mJV91xM7RpbwgIvs7NxqUkHl:SCqm2Jpr0nNM7Dus7Nx2F

Score

7^/10

upx

Malware Config

Signatures

Loads dropped DLL 12 IoCs

pid	Process
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4980-0-0x0000000000400000-0x00000000005BA000-memory.dmp	upx
behavioral2/files/0x00010000000228a0-5.dat	upx
behavioral2/memory/4980-5838-0x0000000000400000-0x00000000005BA000-memory.dmp	upx
behavioral2/files/0x0001000000021d25-9413.dat	upx
behavioral2/files/0x0001000000021d25-9415.dat	upx
behavioral2/files/0x0001000000021d25-9414.dat	upx
behavioral2/files/0x0001000000021d5a-9424.dat	upx
behavioral2/files/0x0001000000021d25-9445.dat	upx
behavioral2/files/0x0001000000021d5a-9423.dat	upx
behavioral2/files/0x0001000000021d5a-9422.dat	upx
behavioral2/memory/4980-13397-0x0000000000400000-0x00000000005BA000-memory.dmp	upx

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\desktop.ini	1a9ec2dbcdb5d76a728419dfa865fa3b.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Exchange.WebServices.dll	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-140.png.exe	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\FreshPaint.Model.CX.dll.exe	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.CompilerServices.VisualC.dll.exe	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Frosted Glass.eftx.exe	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-125.png	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\bootstrap.js	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml.exe	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\SmallTile.scale-200.png.exe	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File opened for modification	C:\Program Files\Microsoft Office\AppXManifest.xml	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-oob.xrm-ms	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libfreeze_plugin.dll	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.exe	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_contrast-black.png.exe	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\AppxManifest.xml	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.scale-150.png	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Numerics.dll	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PPINTL.DLL.exe	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeWord.nrr	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag-dark.png	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODEXL.DLL	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-150_contrast-black.png.exe	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-Toolkit\Images\DefaultProfileImage.png	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailSmallTile.scale-200.png.exe	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c.exe	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul-oob.xrm-ms	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\EEINTL.DLL.exe	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Grid.Grouping.Base.dll.exe	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-256.png.exe	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_common.dll.exe	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-phn.xrm-ms.exe	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.png.exe	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\MedTile.scale-200.png	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Microsoft.PowerShell.Operation.Validation.Tests.ps1	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\MSB1ESEN.DLL.exe	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-32_altform-lightunplated.png	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\System.Windows.Forms.Design.resources.dll	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSmallTile.scale-150.png	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookWideTile.scale-100.png.exe	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Photos.Viewer.Sequence.dll	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-40_altform-unplated_contrast-black.png.exe	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.dll	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-96_altform-unplated_contrast-white.png	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\WindowsFormsIntegration.resources.dll	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_altform-unplated_contrast-white.png.exe	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-24_altform-unplated.png.exe	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-72_altform-unplated_contrast-white.png	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-oob.xrm-ms	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ODATACPP.DLL	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-24_altform-colorize.png.exe	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.RichMedia.Packaging.dll.exe	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\WideTile.scale-100.png	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\es-ES\MSFT_PackageManagement.schema.mfl	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ul-oob.xrm-ms	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-pl.xrm-ms	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBHW6.CHM.exe	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.targetsize-256.png.exe	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-256.png	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md.exe	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms.exe	1a9ec2dbcdb5d76a728419dfa865fa3b.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Custom_Sticker_Checkerboard.png.exe	1a9ec2dbcdb5d76a728419dfa865fa3b.exe

C:\Users\Admin\AppData\Local\Temp\1a9ec2dbcdb5d76a728419dfa865fa3b.exe
"C:\Users\Admin\AppData\Local\Temp\1a9ec2dbcdb5d76a728419dfa865fa3b.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:4980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip32.dll

Filesize
1024KB

MD5
6f3c31a880db3e9e35945c17aaae34d8

SHA1
cf09444cc59521ad1cca8632581dcad9977d96a8

SHA256
1cbdb1a76150f6b3bd910bd6e17a5dbd40ef31427d64e87231b5e4ea73dffafb

SHA512
db07930d9ff7688e01ec30b3849c24d60245b8fe68f6b40d7fa9d2629a72e86fe4d862c28a5840815af6373cdc1fbacc7202e62a91aa35da73582b324aca6e4d

Download Submit
C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

Filesize
96KB

MD5
b1673ce6b5d6f13495d964caf534917a

SHA1
b9831f7a86006958f590924665b15167fd2a9f3c

SHA256
c60fd53f95d85180156150e887db5952b81b18ed43ac162ee4ebf3d0b5bd7cf6

SHA512
0bc8476c60ed508ccd65f67c9b2bb191dfd88062ab2a69a34bdfc2c21f3eaee7e54a50709b7716c4e7e235d23d27f5e2d9a5ba6bd765afaa9646b402e37c5568

Download Submit
C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

Filesize
381KB

MD5
2e6c5fa5421dc2472b426f9e20bb1a8d

SHA1
858ea62ed936482d0139a2a9f72f6471efb52c02

SHA256
cc29fe4d92038da803cb7fb2b12fd66ed619f330a923a3ff4914cd1c37061ed9

SHA512
1801fe226fe479c26e616e68d0f0b460565e81fc47485baf376f54c32c9e761b39dee0958b198be68a6b4388afd12e29070196f54475c8821831f0b6c6ac407f

Download Submit
C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

Filesize
92KB

MD5
94d0a59e3e1f8034cf928876b525b2e7

SHA1
30600a6adaa67b9869a92bdcd1fa14b38632e150

SHA256
ed4e1966cd563d7725bc4d87fc6c03e4f2c170a015dc364b4ab9dbe923de852c

SHA512
42d76e865408a314eac1a5158ec5b09058b07b0672ae4850e495ab029b40115e52037bd0248ddf546139aee00a78b442dbee2b5e56bf5653c42d45a5d64271bf

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
52KB

MD5
1ae1e8d120fd13e68a0505edacebc591

SHA1
799ae458257bc1a8a52d3465ce463a8ec18bf3a1

SHA256
89c603dac8d4e2f48af2536743056089b21f4217371edd8b8e7753bb206a739f

SHA512
11d267048734622009c343d92f74bbf5e147d20b89345a92528d161204417e4bf07e7fcf28cf2feed8033a76b5663cb23902b8a239cf425459fd2a7a732724bb

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
1.1MB

MD5
2b4688b76f23a899125201a4cb2ab970

SHA1
350b6e93200cb40f1e41810f862d0c35cc92a638

SHA256
439a9d06f39f449971dd774609eca57c0a0008bc921077a0400bdc4276ee928d

SHA512
bafd67fcdd560a43dcb476e2d3b3a172720885a7dc6115432160ef2155591a249112c18e99d0a8150443bb81a124ba0b92f7de2e2d7c51b8d4d0fa95ee2311d9

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
14KB

MD5
507e2310b3f1fd3653eb5eeb2bf9dd8b

SHA1
6427c40c667fb309bea786f4caaf3e79bf765839

SHA256
da4c5f98bdf93995366f7d6e4da8c959aabaadca6c70e1f21defdad69e05577b

SHA512
de9c56037c5019c76bc9ca055e59a25e3ddf3c045ef309e4c823179a09bcc6dc0073164864d1a11e9af350f524c5ca6db68d81f624c7ed6d88a89ae13ef8c1e5

Download Submit
memory/4980-0-0x0000000000400000-0x00000000005BA000-memory.dmp

Filesize
1.7MB

Download
memory/4980-5838-0x0000000000400000-0x00000000005BA000-memory.dmp

Filesize
1.7MB

Download
memory/4980-13397-0x0000000000400000-0x00000000005BA000-memory.dmp

Filesize
1.7MB

Download