89a1b4dd2ca970d2a848e34aa7c9836b7d8ed3eb26a12afa155d0a96d3d2c950

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55fd02fca010f86df59e1fe7151bc08b.exe
Size

106KB
MD5

55fd02fca010f86df59e1fe7151bc08b
SHA1

15042f67270e725aadfa36c946f292bd91405348
SHA256

89a1b4dd2ca970d2a848e34aa7c9836b7d8ed3eb26a12afa155d0a96d3d2c950
SHA512

dc8d6f4e3691dbb19d7660682b32a1d3264da7c54a768051e7f86c525fbceb77d19236ec2e373f7bf05df3959ab1cab91aee4a38be0655f3303361d464abc90e
SSDEEP

1536:EHcuoMnOT9QFYJ8BlSKD/rfDBiHCi7SgkGqkBNgD6AS:xuoMnOmiaBlVH1dkI

Score

7^/10

upx

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rlxfj.lnk	WScript.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2192-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2192-1-0x0000000000220000-0x000000000023C000-memory.dmp	upx
behavioral1/memory/2192-13-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2192 set thread context of 2792	2192	55fd02fca010f86df59e1fe7151bc08b.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2792	2192	55fd02fca010f86df59e1fe7151bc08b.exe	28
PID 2192 wrote to memory of 2792	2192	55fd02fca010f86df59e1fe7151bc08b.exe	28
PID 2192 wrote to memory of 2792	2192	55fd02fca010f86df59e1fe7151bc08b.exe	28
PID 2192 wrote to memory of 2792	2192	55fd02fca010f86df59e1fe7151bc08b.exe	28
PID 2192 wrote to memory of 2792	2192	55fd02fca010f86df59e1fe7151bc08b.exe	28
PID 2192 wrote to memory of 2792	2192	55fd02fca010f86df59e1fe7151bc08b.exe	28
PID 2192 wrote to memory of 2792	2192	55fd02fca010f86df59e1fe7151bc08b.exe	28
PID 2192 wrote to memory of 2792	2192	55fd02fca010f86df59e1fe7151bc08b.exe	28
PID 2192 wrote to memory of 2792	2192	55fd02fca010f86df59e1fe7151bc08b.exe	28
PID 2792 wrote to memory of 2880	2792	55fd02fca010f86df59e1fe7151bc08b.exe	29
PID 2792 wrote to memory of 2880	2792	55fd02fca010f86df59e1fe7151bc08b.exe	29
PID 2792 wrote to memory of 2880	2792	55fd02fca010f86df59e1fe7151bc08b.exe	29
PID 2792 wrote to memory of 2880	2792	55fd02fca010f86df59e1fe7151bc08b.exe	29

C:\Users\Admin\AppData\Local\Temp\55fd02fca010f86df59e1fe7151bc08b.exe
"C:\Users\Admin\AppData\Local\Temp\55fd02fca010f86df59e1fe7151bc08b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\55fd02fca010f86df59e1fe7151bc08b.exe
  "C:\Users\Admin\AppData\Local\Temp\55fd02fca010f86df59e1fe7151bc08b.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vjsch.vbs"
    3⤵
    - Drops startup file
    PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vjsch.vbs

Filesize
5KB

MD5
3e7b7a33cd0a9d051801cabafacd9273

SHA1
3da6b27dc4ff358904e497f5efda823b782fc1a6

SHA256
7d11ae38864136461ac42e024fe7ca4be4610cef4617de24862946b3c42f0832

SHA512
33a3946d4fe03d1be5623f5134e29dfdf5578bbf86ebce713732ade01f859f6e4a07b641d45ede85d583575a3f6bb40287238bb01a31f6b781152a313bab7ead

Download Submit
memory/2192-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2192-1-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/2192-13-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2792-2-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2792-4-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2792-6-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2792-8-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2792-10-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2792-12-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2792-15-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2792-18-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download