ac6e48c417f264463f08dac5c61f25855c56716e46d98c07eff2b6afba370e07

Analysis

max time kernel
96s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bc6d968dc7bf14b22faacda814e78fe.exe
Size

472KB
MD5

3bc6d968dc7bf14b22faacda814e78fe
SHA1

8809369e2f4c37939bc149128dae61295ebaefc1
SHA256

ac6e48c417f264463f08dac5c61f25855c56716e46d98c07eff2b6afba370e07
SHA512

3167cbf457f3eb9316a86fdeeb019e2a61cfb3f00bb7891273899763e1c3ee7f57f36b23762f28fbc9daf53f58e44efbb8226a80a978b6ba8f2646753bf0cc56
SSDEEP

12288:3o0KQFr0jLiqUkwwarlSERGlkZW+qlV03Ps0M:3oNQFr2+qUJZrlt2kZW+D9

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3056	3bc6d968dc7bf14b22faacda814e78fe.exe

Executes dropped EXE 1 IoCs

pid	Process
3056	3bc6d968dc7bf14b22faacda814e78fe.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1824-0-0x0000000000400000-0x00000000005DA000-memory.dmp	upx
behavioral2/files/0x000600000001e5df-12.dat	upx
behavioral2/memory/3056-15-0x0000000000400000-0x00000000005DA000-memory.dmp	upx

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4448	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1824	3bc6d968dc7bf14b22faacda814e78fe.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1824	3bc6d968dc7bf14b22faacda814e78fe.exe
3056	3bc6d968dc7bf14b22faacda814e78fe.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 3056	1824	3bc6d968dc7bf14b22faacda814e78fe.exe	88
PID 1824 wrote to memory of 3056	1824	3bc6d968dc7bf14b22faacda814e78fe.exe	88
PID 1824 wrote to memory of 3056	1824	3bc6d968dc7bf14b22faacda814e78fe.exe	88
PID 3056 wrote to memory of 4448	3056	3bc6d968dc7bf14b22faacda814e78fe.exe	90
PID 3056 wrote to memory of 4448	3056	3bc6d968dc7bf14b22faacda814e78fe.exe	90
PID 3056 wrote to memory of 4448	3056	3bc6d968dc7bf14b22faacda814e78fe.exe	90
PID 3056 wrote to memory of 1808	3056	3bc6d968dc7bf14b22faacda814e78fe.exe	96
PID 3056 wrote to memory of 1808	3056	3bc6d968dc7bf14b22faacda814e78fe.exe	96
PID 3056 wrote to memory of 1808	3056	3bc6d968dc7bf14b22faacda814e78fe.exe	96
PID 1808 wrote to memory of 3388	1808	cmd.exe	91
PID 1808 wrote to memory of 3388	1808	cmd.exe	91
PID 1808 wrote to memory of 3388	1808	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\3bc6d968dc7bf14b22faacda814e78fe.exe
"C:\Users\Admin\AppData\Local\Temp\3bc6d968dc7bf14b22faacda814e78fe.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Users\Admin\AppData\Local\Temp\3bc6d968dc7bf14b22faacda814e78fe.exe
  C:\Users\Admin\AppData\Local\Temp\3bc6d968dc7bf14b22faacda814e78fe.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\3bc6d968dc7bf14b22faacda814e78fe.exe" /TN 0Su7L8S745c1 /F
    3⤵
    - Creates scheduled task(s)
    PID:4448
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN 0Su7L8S745c1 > C:\Users\Admin\AppData\Local\Temp\4Znwwrb.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1808

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN 0Su7L8S745c1
1⤵
PID:3388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3bc6d968dc7bf14b22faacda814e78fe.exe

Filesize
153KB

MD5
093b16f1709f89bb63eadd7d958f45a3

SHA1
149e409c803c536d9049cefc5ee0931152e6fb8f

SHA256
8e346b7830d646a3f02d8fd09a1a6cee833e76df769396b05d46834770f69280

SHA512
a3ec71ac88fbfe9b0cb94eaa850fa9b99de27c35873bc62fd7d193bd779bcf10f853413cb0b4e8a487a8498101550bdac0d834c94561619fb7037e23d7b316a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4Znwwrb.xml

Filesize
1KB

MD5
702da333c4bc19ade390e42d08a6fdd5

SHA1
7957ed565e0809bcc3d947f1149e1b0cc4b4b71f

SHA256
8876874e7714d2823b0ed5e718bb189d65ee172ce7a66dec3c229def7d8c7cf8

SHA512
15394c347c8ac7fa07adf8e5351f46b6de0676e9ae88f60cb8c405dfb96911493bd300fac1820a1dcee374c464829a014e53b8c5fd940f78471416262d765e81

Download Submit
memory/1824-0-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1824-1-0x00000000015E0000-0x0000000001656000-memory.dmp

Filesize
472KB

Download
memory/1824-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3056-17-0x0000000001710000-0x0000000001786000-memory.dmp

Filesize
472KB

Download
memory/3056-15-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/3056-23-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3056-22-0x0000000000500000-0x0000000000566000-memory.dmp

Filesize
408KB

Download
memory/3056-32-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads