34f17c9cdba6e3bb9340628e32c2fc2e7f65223530549d32fa1ee1b5dc184a68

Analysis

max time kernel
0s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3334cb43b69c61d33289b4cf8a5e16f6.exe
Size

1.7MB
MD5

3334cb43b69c61d33289b4cf8a5e16f6
SHA1

f70b0becd639338a427f6424a2272178f58dae53
SHA256

34f17c9cdba6e3bb9340628e32c2fc2e7f65223530549d32fa1ee1b5dc184a68
SHA512

e33d7f0325781eb7a6cad0fec7a4655620f21464215bde52fa8f7bd00632d26724940891d66dcf617a1ee43f4b73077d950da400c28df0f895014a384fd0d8ee
SSDEEP

49152:610vJAyGlATIXdM7RQTE7JBKqf+Fj8McTFgIEIv:hJAyGCTIXdMiY7+qGB8DgIEIv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2568	sg.tmp

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4652-0-0x0000000000400000-0x0000000000545000-memory.dmp	upx
behavioral2/memory/4652-44-0x0000000000400000-0x0000000000545000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeBackupPrivilege	4652	3334cb43b69c61d33289b4cf8a5e16f6.exe
Token: SeRestorePrivilege	4652	3334cb43b69c61d33289b4cf8a5e16f6.exe
Token: 33	4652	3334cb43b69c61d33289b4cf8a5e16f6.exe
Token: SeIncBasePriorityPrivilege	4652	3334cb43b69c61d33289b4cf8a5e16f6.exe
Token: SeCreateGlobalPrivilege	4652	3334cb43b69c61d33289b4cf8a5e16f6.exe
Token: 33	4652	3334cb43b69c61d33289b4cf8a5e16f6.exe
Token: SeIncBasePriorityPrivilege	4652	3334cb43b69c61d33289b4cf8a5e16f6.exe
Token: 33	4652	3334cb43b69c61d33289b4cf8a5e16f6.exe
Token: SeIncBasePriorityPrivilege	4652	3334cb43b69c61d33289b4cf8a5e16f6.exe
Token: SeRestorePrivilege	2568	sg.tmp
Token: 35	2568	sg.tmp
Token: SeSecurityPrivilege	2568	sg.tmp
Token: SeSecurityPrivilege	2568	sg.tmp

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4652 wrote to memory of 1924	4652	3334cb43b69c61d33289b4cf8a5e16f6.exe	14
PID 4652 wrote to memory of 1924	4652	3334cb43b69c61d33289b4cf8a5e16f6.exe	14
PID 4652 wrote to memory of 2568	4652	3334cb43b69c61d33289b4cf8a5e16f6.exe	20
PID 4652 wrote to memory of 2568	4652	3334cb43b69c61d33289b4cf8a5e16f6.exe	20
PID 4652 wrote to memory of 2568	4652	3334cb43b69c61d33289b4cf8a5e16f6.exe	20

C:\Users\Admin\AppData\Local\Temp\3334cb43b69c61d33289b4cf8a5e16f6.exe
"C:\Users\Admin\AppData\Local\Temp\3334cb43b69c61d33289b4cf8a5e16f6.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:1924
- C:\Users\Admin\AppData\Local\Temp\~523951933799082400\StopUpdates10.exe
  "C:\Users\Admin\AppData\Local\Temp\~523951933799082400\StopUpdates10.exe"
  2⤵
  PID:2432
- C:\Users\Admin\AppData\Local\Temp\~6256502254128069468~\sg.tmp
  7zG_exe x "C:\Users\Admin\AppData\Local\Temp\3334cb43b69c61d33289b4cf8a5e16f6.exe" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~523951933799082400"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2432-19-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/2432-45-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2432-48-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/4652-0-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/4652-44-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download