dd852e14b591af803337cad469b39da4b4b6d4e19f81c1d67b1d968549877be4

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 10:42

Target

6833180421237c87b3c66abc37a50b34.exe
Size

27KB
MD5

6833180421237c87b3c66abc37a50b34
SHA1

aa062c5bd537bdb0cf1ceaf6cc6627e20aead53e
SHA256

dd852e14b591af803337cad469b39da4b4b6d4e19f81c1d67b1d968549877be4
SHA512

31082ba82d205e5304d94cbbc34fce7f1f68ae9129282cefd7b61ac7e7990d502b5c227ea4fcf74baa0ec8fc5d6197aeaafe5f216ef84250b6efe44462a33cb7
SSDEEP

384:RGwA529oufmf7YjkijKgfWYOAELoWTX70lJvG5rWQs0QKFihL:RGv2nm7YbFfg1slZGvbkL

Score

7^/10

upx

Deletes itself 1 IoCs

pid	Process
1112	cmd.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2612-1-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2612	6833180421237c87b3c66abc37a50b34.exe
2612	6833180421237c87b3c66abc37a50b34.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2612	6833180421237c87b3c66abc37a50b34.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 1112	2612	6833180421237c87b3c66abc37a50b34.exe	33
PID 2612 wrote to memory of 1112	2612	6833180421237c87b3c66abc37a50b34.exe	33
PID 2612 wrote to memory of 1112	2612	6833180421237c87b3c66abc37a50b34.exe	33
PID 2612 wrote to memory of 1112	2612	6833180421237c87b3c66abc37a50b34.exe	33

C:\Users\Admin\AppData\Local\Temp\6833180421237c87b3c66abc37a50b34.exe
"C:\Users\Admin\AppData\Local\Temp\6833180421237c87b3c66abc37a50b34.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\683318~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1112

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/2612-0-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download
memory/2612-1-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download