bdc220d65925a6b2475f6e7b361dc6ff555c5cf1e5ff60e7dbf50a3f63294e7d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3090d523659f6b4553e61570b54343a9.exe
Size

867KB
MD5

3090d523659f6b4553e61570b54343a9
SHA1

c9d3ef1ca7fd186fc8778d1f247ea75852f37015
SHA256

bdc220d65925a6b2475f6e7b361dc6ff555c5cf1e5ff60e7dbf50a3f63294e7d
SHA512

9945d45b6a303321df52eb6015c0583af8d2203b15a27ce9f064f39d2f9f07ca01633c205138c9390e81a77a9bf7548d0c2fd421e530e54712dd1ffe16d6fec9
SSDEEP

12288:RBgwwrUt4ihIZW7OfeJQJ9R48TphofpfpJFH9xaJ:RBxwpihIZWCfesL4op6xw

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/508-0-0x0000000000400000-0x00000000004DA000-memory.dmp	upx
behavioral2/memory/508-4-0x0000000000400000-0x00000000004DA000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pc-up = "C:\\program files\\pc-up\\pcup.exe"	3090d523659f6b4553e61570b54343a9.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\program files\pc-up\pcuphk.dll	3090d523659f6b4553e61570b54343a9.exe
File created	C:\program files\pc-up\pcupupdater.exe	3090d523659f6b4553e61570b54343a9.exe
File created	C:\program files\common files\pc-up\pcupuninst.exe	3090d523659f6b4553e61570b54343a9.exe
File created	C:\program files\pc-up\pcuppopd.dll	3090d523659f6b4553e61570b54343a9.exe
File created	C:\program files\pc-up\pcupwcher.exe	3090d523659f6b4553e61570b54343a9.exe
File created	C:\program files\pc-up\pcup.exe	3090d523659f6b4553e61570b54343a9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 508 wrote to memory of 1288	508	3090d523659f6b4553e61570b54343a9.exe	97
PID 508 wrote to memory of 1288	508	3090d523659f6b4553e61570b54343a9.exe	97
PID 508 wrote to memory of 1288	508	3090d523659f6b4553e61570b54343a9.exe	97

C:\Users\Admin\AppData\Local\Temp\3090d523659f6b4553e61570b54343a9.exe
"C:\Users\Admin\AppData\Local\Temp\3090d523659f6b4553e61570b54343a9.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\$$wefd84122098.bat
  2⤵
  PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$$wefd84122098.bat

Filesize
205B

MD5
b2660a678a41f82497e4da95f05604d7

SHA1
5184c5023ee7c8a15c737a1cb6eabe7127b56fe2

SHA256
2794563c500a137202f382fbdefe84bb035a5d1ead0ffc3f545051abbdc7544e

SHA512
95759a531f5927ebe93005d19101a228e746373c891bebc78b08d43e1177f5869741433a7615fe9abfd8c6351f6015fa6405b3ba3bab0f78828545bd0f6bc62e

Download Submit
memory/508-0-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/508-1-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/508-4-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads