52e03d7e4c605edb9ecf08be8f663291567e200515031aa612c86fc773f0f3e0

Analysis

max time kernel
140s
max time network
145s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 16:22

Target

2cbe69d73cabeaed4014960c31d54d6e.exe
Size

34KB
MD5

2cbe69d73cabeaed4014960c31d54d6e
SHA1

f2784c1c24ca3339517c3ff1c52bdcdab7f9107f
SHA256

52e03d7e4c605edb9ecf08be8f663291567e200515031aa612c86fc773f0f3e0
SHA512

7f346800c3883d28628809ba894a7f033553d7dd875faa9350c3a3f3596f3641ddc714e5e29f821ac7574d9b00f926d2417ccc708dbc9f57bc824eb227dee9b6
SSDEEP

768:UTQ3LqQSInRRNm78gNtMmOGmCwSJmLYoR6U6C1du4nnZlZY:UTQ3SyRR84gNemOCjJ7or6C1du4nZHY

Score

7^/10

upx

Deletes itself 1 IoCs

pid	Process
2288	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
864	kkaaya.exe

Loads dropped DLL 3 IoCs

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2928-0-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/files/0x000b000000014227-3.dat	upx
behavioral1/memory/864-10-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2928-11-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/864-12-0x0000000000400000-0x0000000000429000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\kkaaya.exe	2cbe69d73cabeaed4014960c31d54d6e.exe
File created	C:\Windows\SysWOW64\kkaaya.exe	2cbe69d73cabeaed4014960c31d54d6e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2928	2cbe69d73cabeaed4014960c31d54d6e.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2288	2928	2cbe69d73cabeaed4014960c31d54d6e.exe	29
PID 2928 wrote to memory of 2288	2928	2cbe69d73cabeaed4014960c31d54d6e.exe	29
PID 2928 wrote to memory of 2288	2928	2cbe69d73cabeaed4014960c31d54d6e.exe	29
PID 2928 wrote to memory of 2288	2928	2cbe69d73cabeaed4014960c31d54d6e.exe	29
PID 2928 wrote to memory of 2288	2928	2cbe69d73cabeaed4014960c31d54d6e.exe	29
PID 2928 wrote to memory of 2288	2928	2cbe69d73cabeaed4014960c31d54d6e.exe	29
PID 2928 wrote to memory of 2288	2928	2cbe69d73cabeaed4014960c31d54d6e.exe	29

C:\Users\Admin\AppData\Local\Temp\2cbe69d73cabeaed4014960c31d54d6e.exe
"C:\Users\Admin\AppData\Local\Temp\2cbe69d73cabeaed4014960c31d54d6e.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2CBE69~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2288

C:\Windows\SysWOW64\kkaaya.exe

Filesize
34KB

MD5
2cbe69d73cabeaed4014960c31d54d6e

SHA1
f2784c1c24ca3339517c3ff1c52bdcdab7f9107f

SHA256
52e03d7e4c605edb9ecf08be8f663291567e200515031aa612c86fc773f0f3e0

SHA512
7f346800c3883d28628809ba894a7f033553d7dd875faa9350c3a3f3596f3641ddc714e5e29f821ac7574d9b00f926d2417ccc708dbc9f57bc824eb227dee9b6

Download Submit
memory/864-9-0x00000000002D0000-0x00000000002F9000-memory.dmp

Filesize
164KB

Download
memory/864-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/864-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2928-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2928-2-0x00000000001C0000-0x00000000001E9000-memory.dmp

Filesize
164KB

Download
memory/2928-4-0x00000000001C0000-0x00000000001E9000-memory.dmp

Filesize
164KB

Download
memory/2928-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download