e4ea9ab23f9a46916bf8bc1868bc6a19fb9e72f2eff0f3be9673b3ac75321ea8

Analysis

max time kernel
144s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6173ab4e19f76cf80bf9471297c54fbb.exe
Size

415KB
MD5

6173ab4e19f76cf80bf9471297c54fbb
SHA1

5af311f8778998f58a7f69733130703c9b5a70cf
SHA256

e4ea9ab23f9a46916bf8bc1868bc6a19fb9e72f2eff0f3be9673b3ac75321ea8
SHA512

fa70899042a9f381166a1d2126c2d7166e9606f01ddc527bf1335a1b93167afb68c6b409bac98cf7a018a56e4524f3a5e6e80d7488c120e0f02875bd5492951d
SSDEEP

6144:acCdSbxgvtC+emhHQfE/On+XvVimpcPi/YKRaY4kwhAqII2IIejGopInEfRIIOUf:abdMiqmBuE/oiwmpeimrDhb

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4236	pP06511PnNmA06511.exe

Executes dropped EXE 1 IoCs

pid	Process
4236	pP06511PnNmA06511.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3720-6-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/memory/4236-18-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/memory/3720-21-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/memory/4236-22-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/memory/4236-32-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/memory/4236-46-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/memory/3720-48-0x0000000000400000-0x00000000004C0000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pP06511PnNmA06511 = "C:\\ProgramData\\pP06511PnNmA06511\\pP06511PnNmA06511.exe"	pP06511PnNmA06511.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
4236	pP06511PnNmA06511.exe
4236	pP06511PnNmA06511.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
4236	pP06511PnNmA06511.exe
4236	pP06511PnNmA06511.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
4236	pP06511PnNmA06511.exe
4236	pP06511PnNmA06511.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
4236	pP06511PnNmA06511.exe
4236	pP06511PnNmA06511.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
4236	pP06511PnNmA06511.exe
4236	pP06511PnNmA06511.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
4236	pP06511PnNmA06511.exe
4236	pP06511PnNmA06511.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
4236	pP06511PnNmA06511.exe
4236	pP06511PnNmA06511.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
4236	pP06511PnNmA06511.exe
4236	pP06511PnNmA06511.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
3720	6173ab4e19f76cf80bf9471297c54fbb.exe
4236	pP06511PnNmA06511.exe
4236	pP06511PnNmA06511.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3720	6173ab4e19f76cf80bf9471297c54fbb.exe
Token: SeDebugPrivilege	4236	pP06511PnNmA06511.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4236	pP06511PnNmA06511.exe
4236	pP06511PnNmA06511.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4236	pP06511PnNmA06511.exe
4236	pP06511PnNmA06511.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4236	pP06511PnNmA06511.exe
4236	pP06511PnNmA06511.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 4236	3720	6173ab4e19f76cf80bf9471297c54fbb.exe	91
PID 3720 wrote to memory of 4236	3720	6173ab4e19f76cf80bf9471297c54fbb.exe	91
PID 3720 wrote to memory of 4236	3720	6173ab4e19f76cf80bf9471297c54fbb.exe	91

C:\Users\Admin\AppData\Local\Temp\6173ab4e19f76cf80bf9471297c54fbb.exe
"C:\Users\Admin\AppData\Local\Temp\6173ab4e19f76cf80bf9471297c54fbb.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3720
- C:\ProgramData\pP06511PnNmA06511\pP06511PnNmA06511.exe
  "C:\ProgramData\pP06511PnNmA06511\pP06511PnNmA06511.exe" "C:\Users\Admin\AppData\Local\Temp\6173ab4e19f76cf80bf9471297c54fbb.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pP06511PnNmA06511\pP06511PnNmA06511

Filesize
192B

MD5
7ab2ce664b6a6fb02ec1416332317e0a

SHA1
f5b946b80fa01c5f065ebb98200070487d79723d

SHA256
885489350ec2b13a24a9c338cf7cbc42b114b9acb71358ab60f4849dc440096a

SHA512
3ec9e2211c08e2e0c633dc73f6226c57bd2a7fcc1c57eaba0596fe4864ec0dff99f59a5e861210b134bf955f84306b9c80caed3382964811c9a2ca174e1815cb

Download Submit
C:\ProgramData\pP06511PnNmA06511\pP06511PnNmA06511.exe

Filesize
106KB

MD5
f9deacfbc6d40a6ba1e44f882703f08b

SHA1
702098114c53155164878068e82ef02dd1c3fdbd

SHA256
7e7ca18c760364311a5fdbd1445b95abce919fa26092847a07f02bf2b368a972

SHA512
50e370bebd7f0e1ecb796e8990eef915a78256b641008c8c622c4896e69e3b72139885eafcbf3eb37d1356dd7e6a71ced8d813bf1a8212a90b806616a544553b

Download Submit
C:\ProgramData\pP06511PnNmA06511\pP06511PnNmA06511.exe

Filesize
415KB

MD5
1e6e81ee8376322adb802cdc442ccdab

SHA1
1dc5194e886487a063dc9cec91bc09cc7503b867

SHA256
fb03856a62dad3dd5038e895ae76ca5ab029be0a6d08f34ce06edba21e7da518

SHA512
a7c2e9e3def03793c0a698cb393f6bf04cbea2e079f79df0ede68f8872b52f39508a2af77e0f111fded6d52ae10e6baaf16b3aa41166a3880780f990941ac3dd

Download Submit
memory/3720-0-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/3720-6-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3720-21-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3720-48-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4236-18-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4236-22-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4236-32-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4236-46-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download