b377b59b81a13a9fe9f108c714a1c048c7c87bf90ce08c9f36b0c16ac4628dd3

Analysis

max time kernel
92s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32d29b7bba1fcb504f778f31c0a264a6.exe
Size

1.8MB
MD5

32d29b7bba1fcb504f778f31c0a264a6
SHA1

88fc06149200b5c44d7f80b4ab01e151ffb27c50
SHA256

b377b59b81a13a9fe9f108c714a1c048c7c87bf90ce08c9f36b0c16ac4628dd3
SHA512

2e1b8cb6ee572a91b1029f5a3a8fed29071ef0153c02e424983c4ca48748d33ba6344ad7f9cfad26d2290f87fb09253dd3be424d82515e1714ecbe076277dac0
SSDEEP

24576:S6pQPxQ2JyP2r5mJV91xM7RpbwgIvs7Nxq5:SCqm2Jpr0nNM7Dus7NxM

Score

7^/10

upx

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2836-0-0x0000000000400000-0x00000000005BA000-memory.dmp	upx
behavioral2/files/0x00020000000228cc-5.dat	upx
behavioral2/memory/2836-5982-0x0000000000400000-0x00000000005BA000-memory.dmp	upx
behavioral2/files/0x0001000000021e1b-11163.dat	upx
behavioral2/files/0x0001000000021e1b-11164.dat	upx
behavioral2/files/0x0001000000021e1b-11166.dat	upx
behavioral2/files/0x0001000000021e1b-11167.dat	upx
behavioral2/files/0x0001000000021e1b-11168.dat	upx
behavioral2/files/0x0001000000021e1b-11165.dat	upx
behavioral2/memory/2836-13409-0x0000000000400000-0x00000000005BA000-memory.dmp	upx

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\desktop.ini	32d29b7bba1fcb504f778f31c0a264a6.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll.exe	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\THMBNAIL.PNG.exe	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DcfMsoWrapper.dll.exe	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-48_contrast-black.png.exe	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-125_contrast-black.png.exe	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeLikeExactly.ps1	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewCommentRTL.White.png.exe	32d29b7bba1fcb504f778f31c0a264a6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewCommentRTL.png	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-24_contrast-white.png	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookPromoTile.scale-200.png	32d29b7bba1fcb504f778f31c0a264a6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-core-processthreads-l1-1-1.dll	32d29b7bba1fcb504f778f31c0a264a6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libsmb_plugin.dll	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	32d29b7bba1fcb504f778f31c0a264a6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Outlook.dll	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\Windows Media Player\es-ES\WMPMediaSharing.dll.mui	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookLargeTile.scale-200.png.exe	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-48_altform-unplated_contrast-white.png.exe	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeLike.ps1.exe	32d29b7bba1fcb504f778f31c0a264a6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\IRIS.ELM	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteSmallTile.scale-150.png.exe	32d29b7bba1fcb504f778f31c0a264a6.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Private.CoreLib.dll	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\System.Windows.Forms.resources.dll.exe	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-phn.xrm-ms.exe	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-64_altform-unplated_contrast-white.png	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\MSFT_PackageManagementSource.strings.psd1.exe	32d29b7bba1fcb504f778f31c0a264a6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-pl.xrm-ms	32d29b7bba1fcb504f778f31c0a264a6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WORD_WHATSNEW.XML	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-200_contrast-white.png	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactNativeWebViewBridge.winmd.exe	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\WideTile.scale-200.png	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-80.png.exe	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\vlc.mo.exe	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\meetings-chat-upsell.png.exe	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-200.png.exe	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-80_altform-unplated_contrast-white.png.exe	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxMediumTile.scale-125.png.exe	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.Security.dll.exe	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-phn.xrm-ms.exe	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_altform-unplated_contrast-white.png	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml.exe	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerMedTile.contrast-black_scale-125.png	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchLargeTile.contrast-white_scale-200.png.exe	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32.png	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-16.png	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\EntCommon.dll	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-400.png	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ul-oob.xrm-ms.exe	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\VideoLAN\VLC\skins\skin.catalog.exe	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\AppxSignature.p7x.exe	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	32d29b7bba1fcb504f778f31c0a264a6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-pl.xrm-ms.exe	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-150.png.exe	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxComm.Ipc.Proxies.dll	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FetchingMail.scale-125.png.exe	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\Windows Photo Viewer\PhotoViewer.dll	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_PigNose.png	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-96_altform-unplated.png	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\resources.pri.exe	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Diagnostics.EventLog.dll.exe	32d29b7bba1fcb504f778f31c0a264a6.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md	32d29b7bba1fcb504f778f31c0a264a6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageLargeTile.scale-125.png	32d29b7bba1fcb504f778f31c0a264a6.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailLargeTile.scale-400.png	32d29b7bba1fcb504f778f31c0a264a6.exe

C:\Users\Admin\AppData\Local\Temp\32d29b7bba1fcb504f778f31c0a264a6.exe
"C:\Users\Admin\AppData\Local\Temp\32d29b7bba1fcb504f778f31c0a264a6.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:2836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip32.dll

Filesize
1.4MB

MD5
3596c0205cbb24b50b7ed7b2d018ac4a

SHA1
76c0c62a00ffabe606e497f75ca06027a05b9a5b

SHA256
f9ba278ae7f2c7afe99b956ccbf44f56401cca1caf5edac6920ddde763ced2dc

SHA512
3cb836e9d77bd15d91bebe05cd2a289c375f3ca778c0e4cab8a4730b371e51372deccd36440eb7923c8d572ee70c0043c56797d2eb0e51e3a614a8ccce67492b

Download Submit
C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

Filesize
464KB

MD5
31f38c70a6a343d1c71b591fc7135a48

SHA1
0674dd0098a95d7e72bedc94dc4cfd0935cf678f

SHA256
4765fbbf0fde7c26a7dba43b751920b6beecf3f74be1444d61d121204ac5f1ad

SHA512
be79d435f01ee7c06d43c31bdd8cdbd896718e3cbdcf810d8d91bb5520b941adc92d5e3acfe1acb382d89a42bde748e0845c370ecef03009e386d57bc588d0fb

Download Submit
C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

Filesize
353KB

MD5
3d2e1641210ac37305969b6e05d7835c

SHA1
71310c592b9bf83b5199f7cca01cfc177a2e99b0

SHA256
bcf3f86311796093b5cf01f9edf2ada5b48867f728adb68af2e889ea4f28dd86

SHA512
7ae27312b179cc1b42ce585c6de660f2d2345b238c7f76d58b0091b81b3f9613bc7b23a582b6330fc059829c5fe0d0fbdc295fd83d096f2c6cd6436b1119dcf6

Download Submit
C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

Filesize
279KB

MD5
50b8577aaf105c228e895eaec79a875a

SHA1
a0f25ce4ce1694890774c5aa55ec9211f479c398

SHA256
3759318ab65fd648487465a2c80092767df89c0a29413cd21a7594cccc912a7f

SHA512
e774ee17de180d471ca1eba61701a3c6a79b3e32c351a7eadb35166745cf51aa7ece0bc8516c4f82f0b3e447411a9ef1fbd1593d8fe65ca56a69cd11d2fa5d96

Download Submit
C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

Filesize
304KB

MD5
91031aebbe85e3e1c87f7bc6b581f2a0

SHA1
35b98d088063e0a5cbe4639cc1c1ceb85956ed44

SHA256
7e0b20841c9874119ce3fcee2345d3253fc6abdf1021931f106742b028d5a219

SHA512
6c87cb6bfde2f1aca11e9845c8963b47108259497e5e00a6c21bb38227192e83a42c7559f32e3eb6a9b951f9da22a03aacff7b7e7329159908a1e0249b5eccd3

Download Submit
C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

Filesize
224KB

MD5
5113cf998176006ec28c20862ef86c12

SHA1
b25e49503481402442967369cdd39c8e20b174b2

SHA256
7627ed6fe5747500391f10905aa7a7294eb5405d68c61fcdab620106df264f7a

SHA512
a39863cdff2ccf7c5ec4a9e878c96750a187e696bc7f6cc0ea650ea6ca1f370b0ed8d0e3e9b77f1f0eb0dd3cc995f2295082ec08e5ae907a48518eacc69d1a19

Download Submit
C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

Filesize
280KB

MD5
f138a892f8dbefbc950560e911b55398

SHA1
a31b0701b8b149bdd6901ae05932817277038af5

SHA256
8c4ce5881b4eddeffcb73c309c2db9a0607b7ab99a4f2560c6581654747a1989

SHA512
a386c962a1fcc0ffb134623f06c1506732838b365d1c555ae2fb0303c95b5f21cb8a5477fa2f68845bf223a66ab8bdaabd8b44df3c42c11efe9b4f075c102de0

Download Submit
memory/2836-0-0x0000000000400000-0x00000000005BA000-memory.dmp

Filesize
1.7MB

Download
memory/2836-5982-0x0000000000400000-0x00000000005BA000-memory.dmp

Filesize
1.7MB

Download
memory/2836-13409-0x0000000000400000-0x00000000005BA000-memory.dmp

Filesize
1.7MB

Download