6d05012af704ff045364a73cff0ba6b3052a1a99a597117d0f23f1bd068d59ab

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67a47a00e0217b23421354a859d6fafd.exe
Size

425KB
MD5

67a47a00e0217b23421354a859d6fafd
SHA1

78420fea6eae62a44e599a77e4dce53ed814f0da
SHA256

6d05012af704ff045364a73cff0ba6b3052a1a99a597117d0f23f1bd068d59ab
SHA512

7b631fdc3fad3d07330ccedb52f64b521eb42ac85b09e3346c216bf965f92a8bcfb528cee0bed45711927941639246f43ed091bde26d5b7a87369e5a64e0228f
SSDEEP

6144:9c9cTrY1BWNEe2mcnkLbm3Yw9v4J5LJeJ/HGl5+2Fk382Ac:9c9cY1s6tmckLbBwd4gxGC2

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2864	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2768	xcuxe.exe

Loads dropped DLL 3 IoCs

pid	Process
2864	cmd.exe
2864	cmd.exe
2768	xcuxe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
3064	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3048	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	taskkill.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe
2768	xcuxe.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2864	2784	67a47a00e0217b23421354a859d6fafd.exe	29
PID 2784 wrote to memory of 2864	2784	67a47a00e0217b23421354a859d6fafd.exe	29
PID 2784 wrote to memory of 2864	2784	67a47a00e0217b23421354a859d6fafd.exe	29
PID 2784 wrote to memory of 2864	2784	67a47a00e0217b23421354a859d6fafd.exe	29
PID 2864 wrote to memory of 3064	2864	cmd.exe	30
PID 2864 wrote to memory of 3064	2864	cmd.exe	30
PID 2864 wrote to memory of 3064	2864	cmd.exe	30
PID 2864 wrote to memory of 3064	2864	cmd.exe	30
PID 2864 wrote to memory of 3048	2864	cmd.exe	32
PID 2864 wrote to memory of 3048	2864	cmd.exe	32
PID 2864 wrote to memory of 3048	2864	cmd.exe	32
PID 2864 wrote to memory of 3048	2864	cmd.exe	32
PID 2864 wrote to memory of 2768	2864	cmd.exe	33
PID 2864 wrote to memory of 2768	2864	cmd.exe	33
PID 2864 wrote to memory of 2768	2864	cmd.exe	33
PID 2864 wrote to memory of 2768	2864	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\67a47a00e0217b23421354a859d6fafd.exe
"C:\Users\Admin\AppData\Local\Temp\67a47a00e0217b23421354a859d6fafd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /pid 2784 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\67a47a00e0217b23421354a859d6fafd.exe" & start C:\Users\Admin\AppData\Local\xcuxe.exe -f
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /pid 2784
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3064
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 127.1
    3⤵
    - Runs ping.exe
    PID:3048
- - C:\Users\Admin\AppData\Local\xcuxe.exe
    C:\Users\Admin\AppData\Local\xcuxe.exe -f
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\xcuxe.exe

Filesize
183KB

MD5
d041a102d9dd496b57980e5e49e481d9

SHA1
c7f8b8cba335054b956e95576f85aa8c728232ee

SHA256
55524d9a25d70abe135b21dcabb6d92bfe297679c0b20800c6b495153a41d533

SHA512
c53f092047dc61843deec28e429686188fa2a2f97ae6c9063cc1d48eeaeb2fad34130ff3b3e4e3140c28c0d99fb3b938e01c4913bd5c631383bd79b088aba2fe

Download Submit
C:\Users\Admin\AppData\Local\xcuxe.exe

Filesize
151KB

MD5
5f157fcb0f8ae7e03df8065c46c51fc8

SHA1
372bf722cc28ed26b80d0de339054747adf1ad0d

SHA256
3d130f7e2ff7dd975d43db515af9edb3abe67e893b160aa5042fb00e9450fd5d

SHA512
82f3a2164bf21f58aeaf2272bd4c9b026370f9786aceb29033d7ab80f8c8fbc7a88a0a53dc75c2211ff1d6c6be00b892e6a5fa2ed5fd59cf73a61fc9fc92392c

Download Submit
\Users\Admin\AppData\Local\xcuxe.exe

Filesize
147KB

MD5
6959b18e72539220a1d3dfdc578c4a63

SHA1
81ebbdcb5173b2c211b0abb7274c872b440d785b

SHA256
a632b015ca6aedb246d7180f4f83bab1c2414cf9835de3e6e16d0944dd7cea19

SHA512
8c8b46959450eb0c57ade4c22a16cb2e1cb1ed17f1ad633424b3ea111ddec18818269c564bada83c3c8ac3962c6ca9ca8d6a3794f8f37c6c9263a0e2c0d1025b

Download Submit
\Users\Admin\AppData\Local\xcuxe.exe

Filesize
164KB

MD5
3b7c53698731d610aeeae80a50b57ed3

SHA1
77f1e2ecbc4e67c9243995c4e797997cbbfd2254

SHA256
a08312ee77eafe9a73f134d4b421c45b492562bcdad790c4489eb445bc2f86ee

SHA512
78fd3abbcabd0b98c0ec3941c38a4db461d4d3e0532b81425aea41d1c0faccfad43466bbd6e56dcc1e3f7690b9922fc4805aae47cc80104515d1d467f4731c90

Download Submit
\Users\Admin\AppData\Local\xcuxe.exe

Filesize
181KB

MD5
53a7cbfdac06e0abaad6ac7291bd38bc

SHA1
f485acc3ed9344b13230a7d0af0b6b119051e3cd

SHA256
296bfeecfe84e1589084b21a3071cd4b4968a947a04829eaa6ea3f96e46d5457

SHA512
c3678e04018b60e45e4157a83ade1e4e387feed186a35100c8c68a0e2175a321ba907b1efcee6e52697182f0aa1ab27475e1e86922fd55530df72ea9d5fd6356

Download Submit
memory/2768-21-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2768-18-0x0000000001000000-0x00000000010B6000-memory.dmp

Filesize
728KB

Download
memory/2768-28-0x0000000001000000-0x00000000010B6000-memory.dmp

Filesize
728KB

Download
memory/2768-27-0x0000000001000000-0x00000000010B6000-memory.dmp

Filesize
728KB

Download
memory/2768-12-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2768-16-0x0000000001000000-0x00000000010B6000-memory.dmp

Filesize
728KB

Download
memory/2768-17-0x0000000000430000-0x0000000000432000-memory.dmp

Filesize
8KB

Download
memory/2768-26-0x0000000001000000-0x00000000010B6000-memory.dmp

Filesize
728KB

Download
memory/2768-14-0x0000000001000000-0x00000000010B6000-memory.dmp

Filesize
728KB

Download
memory/2768-25-0x0000000001000000-0x00000000010B6000-memory.dmp

Filesize
728KB

Download
memory/2768-24-0x0000000001000000-0x00000000010B6000-memory.dmp

Filesize
728KB

Download
memory/2768-23-0x0000000001000000-0x00000000010B6000-memory.dmp

Filesize
728KB

Download
memory/2768-19-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2768-22-0x0000000001000000-0x00000000010B6000-memory.dmp

Filesize
728KB

Download
memory/2784-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2784-7-0x0000000001000000-0x00000000010B6000-memory.dmp

Filesize
728KB

Download
memory/2784-1-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/2784-0-0x0000000001000000-0x00000000010B6000-memory.dmp

Filesize
728KB

Download
memory/2784-3-0x0000000001000000-0x00000000010B6000-memory.dmp

Filesize
728KB

Download
memory/2784-6-0x00000000002A0000-0x00000000002A2000-memory.dmp

Filesize
8KB

Download
memory/2784-4-0x0000000001000000-0x00000000010B6000-memory.dmp

Filesize
728KB

Download