047f5c62fdbdc234d2bb559030870866773455592035e524a42be8cedf5fa55b

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 13:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

71335cdb13889d6bd866ed8f1e34f9a2.exe
Size

144KB
MD5

71335cdb13889d6bd866ed8f1e34f9a2
SHA1

1aa976b047e2c21313613bc909141d538a1d707c
SHA256

047f5c62fdbdc234d2bb559030870866773455592035e524a42be8cedf5fa55b
SHA512

e2b576b2e95e1f572659627eff908fe175c2ae7861acd709a89b0ea82182c77b570b75a0c36596d88edfe488e0721bb7a6a31e3d512ce1395763a1ecfab3fe36
SSDEEP

3072:tJ2FUNrDc//////BaFoCqzmdOICP0g4e9IV63X:zrNHc//////AFopzmdOJ0g/iwX

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2796	´«Ææ¹éÀ´_a25.exe
2784	ÈÈÑª´«Ææ_a25.exe

Loads dropped DLL 25 IoCs

pid	Process
2744	cmd.exe
2656	cmd.exe
2744	cmd.exe
2656	cmd.exe
2920	rundll32.exe
2920	rundll32.exe
2920	rundll32.exe
2240	rundll32.exe
2920	rundll32.exe
2728	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2156	rundll32.exe
2240	rundll32.exe
2728	rundll32.exe
2920	rundll32.exe
2676	rundll32.exe
2680	rundll32.exe
2728	rundll32.exe
2920	rundll32.exe
2920	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b00000001224c-18.dat	upx
behavioral1/memory/2784-43-0x0000000000400000-0x0000000000621000-memory.dmp	upx
behavioral1/memory/2796-42-0x0000000000400000-0x0000000000621000-memory.dmp	upx
behavioral1/memory/2744-10-0x00000000023D0000-0x00000000025F1000-memory.dmp	upx
behavioral1/files/0x000d000000012325-9.dat	upx

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msctfime.ime	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\DllCache\msctfime.ime	rundll32.exe
File created	C:\Windows\SysWOW64\msctfime.imekYwYK	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\DllCache\msctfime.imePfXLc	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\DllCache\msctfime.imekYwYK	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\msctfime.imekYwYK	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\msctfime.ime	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\DllCache\msctfime.ime	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\msctfime.imePfXLc	rundll32.exe
File created	C:\Windows\SysWOW64\msctfime.imePfXLc	rundll32.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\mml08016.ocx	ÈÈÑª´«Ææ_a25.exe
File created	C:\Program Files\Common Files\0F760A0Fce.dll	ÈÈÑª´«Ææ_a25.exe
File created	C:\Program Files\Common Files\mml02011.ocx	´«Ææ¹éÀ´_a25.exe
File opened for modification	C:\Program Files\Common Files\mml02011.ocx	´«Ææ¹éÀ´_a25.exe
File created	C:\Program Files\Common Files\mml99018.ocx	´«Ææ¹éÀ´_a25.exe
File created	C:\Program Files\Common Files\0F7609F0ce.dll	´«Ææ¹éÀ´_a25.exe
File opened for modification	C:\Program Files\Common Files\0F7609F0ce.dll	´«Ææ¹éÀ´_a25.exe
File created	C:\Program Files\Common Files\mml08016.ocx	ÈÈÑª´«Ææ_a25.exe
File created	C:\Program Files\Common Files\mml99018.ocx	ÈÈÑª´«Ææ_a25.exe
File opened for modification	C:\Program Files\Common Files\0F760A0Fce.dll	ÈÈÑª´«Ææ_a25.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2796	´«Ææ¹éÀ´_a25.exe
2784	ÈÈÑª´«Ææ_a25.exe
2156	rundll32.exe
2156	rundll32.exe
2156	rundll32.exe
2156	rundll32.exe
2156	rundll32.exe
2156	rundll32.exe
2680	rundll32.exe
2680	rundll32.exe
2680	rundll32.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
2920	rundll32.exe
2676	rundll32.exe
480	Process not Found
480	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2920	rundll32.exe
Token: SeLoadDriverPrivilege	2676	rundll32.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 2744	1988	71335cdb13889d6bd866ed8f1e34f9a2.exe	25
PID 1988 wrote to memory of 2744	1988	71335cdb13889d6bd866ed8f1e34f9a2.exe	25
PID 1988 wrote to memory of 2744	1988	71335cdb13889d6bd866ed8f1e34f9a2.exe	25
PID 1988 wrote to memory of 2744	1988	71335cdb13889d6bd866ed8f1e34f9a2.exe	25
PID 1988 wrote to memory of 2656	1988	71335cdb13889d6bd866ed8f1e34f9a2.exe	24
PID 1988 wrote to memory of 2656	1988	71335cdb13889d6bd866ed8f1e34f9a2.exe	24
PID 1988 wrote to memory of 2656	1988	71335cdb13889d6bd866ed8f1e34f9a2.exe	24
PID 1988 wrote to memory of 2656	1988	71335cdb13889d6bd866ed8f1e34f9a2.exe	24
PID 2744 wrote to memory of 2784	2744	cmd.exe	21
PID 2744 wrote to memory of 2784	2744	cmd.exe	21
PID 2744 wrote to memory of 2784	2744	cmd.exe	21
PID 2744 wrote to memory of 2784	2744	cmd.exe	21
PID 2656 wrote to memory of 2796	2656	cmd.exe	20
PID 2656 wrote to memory of 2796	2656	cmd.exe	20
PID 2656 wrote to memory of 2796	2656	cmd.exe	20
PID 2656 wrote to memory of 2796	2656	cmd.exe	20
PID 2796 wrote to memory of 2240	2796	´«Ææ¹éÀ´_a25.exe	19
PID 2796 wrote to memory of 2240	2796	´«Ææ¹éÀ´_a25.exe	19
PID 2796 wrote to memory of 2240	2796	´«Ææ¹éÀ´_a25.exe	19
PID 2796 wrote to memory of 2240	2796	´«Ææ¹éÀ´_a25.exe	19
PID 2796 wrote to memory of 2240	2796	´«Ææ¹éÀ´_a25.exe	19
PID 2796 wrote to memory of 2240	2796	´«Ææ¹éÀ´_a25.exe	19
PID 2796 wrote to memory of 2240	2796	´«Ææ¹éÀ´_a25.exe	19
PID 2796 wrote to memory of 2920	2796	´«Ææ¹éÀ´_a25.exe	18
PID 2796 wrote to memory of 2920	2796	´«Ææ¹éÀ´_a25.exe	18
PID 2796 wrote to memory of 2920	2796	´«Ææ¹éÀ´_a25.exe	18
PID 2796 wrote to memory of 2920	2796	´«Ææ¹éÀ´_a25.exe	18
PID 2796 wrote to memory of 2920	2796	´«Ææ¹éÀ´_a25.exe	18
PID 2796 wrote to memory of 2920	2796	´«Ææ¹éÀ´_a25.exe	18
PID 2796 wrote to memory of 2920	2796	´«Ææ¹éÀ´_a25.exe	18
PID 2796 wrote to memory of 2680	2796	´«Ææ¹éÀ´_a25.exe	17
PID 2796 wrote to memory of 2680	2796	´«Ææ¹éÀ´_a25.exe	17
PID 2796 wrote to memory of 2680	2796	´«Ææ¹éÀ´_a25.exe	17
PID 2796 wrote to memory of 2680	2796	´«Ææ¹éÀ´_a25.exe	17
PID 2796 wrote to memory of 2680	2796	´«Ææ¹éÀ´_a25.exe	17
PID 2796 wrote to memory of 2680	2796	´«Ææ¹éÀ´_a25.exe	17
PID 2796 wrote to memory of 2680	2796	´«Ææ¹éÀ´_a25.exe	17
PID 2784 wrote to memory of 2728	2784	ÈÈÑª´«Ææ_a25.exe	16
PID 2784 wrote to memory of 2728	2784	ÈÈÑª´«Ææ_a25.exe	16
PID 2784 wrote to memory of 2728	2784	ÈÈÑª´«Ææ_a25.exe	16
PID 2784 wrote to memory of 2728	2784	ÈÈÑª´«Ææ_a25.exe	16
PID 2784 wrote to memory of 2728	2784	ÈÈÑª´«Ææ_a25.exe	16
PID 2784 wrote to memory of 2728	2784	ÈÈÑª´«Ææ_a25.exe	16
PID 2784 wrote to memory of 2728	2784	ÈÈÑª´«Ææ_a25.exe	16
PID 2784 wrote to memory of 2676	2784	ÈÈÑª´«Ææ_a25.exe	15
PID 2784 wrote to memory of 2676	2784	ÈÈÑª´«Ææ_a25.exe	15
PID 2784 wrote to memory of 2676	2784	ÈÈÑª´«Ææ_a25.exe	15
PID 2784 wrote to memory of 2676	2784	ÈÈÑª´«Ææ_a25.exe	15
PID 2784 wrote to memory of 2676	2784	ÈÈÑª´«Ææ_a25.exe	15
PID 2784 wrote to memory of 2676	2784	ÈÈÑª´«Ææ_a25.exe	15
PID 2784 wrote to memory of 2676	2784	ÈÈÑª´«Ææ_a25.exe	15
PID 2784 wrote to memory of 2156	2784	ÈÈÑª´«Ææ_a25.exe	14
PID 2784 wrote to memory of 2156	2784	ÈÈÑª´«Ææ_a25.exe	14
PID 2784 wrote to memory of 2156	2784	ÈÈÑª´«Ææ_a25.exe	14
PID 2784 wrote to memory of 2156	2784	ÈÈÑª´«Ææ_a25.exe	14
PID 2784 wrote to memory of 2156	2784	ÈÈÑª´«Ææ_a25.exe	14
PID 2784 wrote to memory of 2156	2784	ÈÈÑª´«Ææ_a25.exe	14
PID 2784 wrote to memory of 2156	2784	ÈÈÑª´«Ææ_a25.exe	14
PID 2784 wrote to memory of 1184	2784	ÈÈÑª´«Ææ_a25.exe	30
PID 2796 wrote to memory of 1184	2796	´«Ææ¹éÀ´_a25.exe	30

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Program Files\Common Files\mml08016.ocx" pfjaoidjglkajd C:\Users\Admin\AppData\Local\Temp\ÈÈÑª´«Ææ_a25.exe
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2156

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Program Files\Common Files\0F760A0Fce.dll" m3
1⤵
- Loads dropped DLL
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Program Files\Common Files\mml99018.ocx" pfjieaoidjglkajd
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:2728

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Program Files\Common Files\mml02011.ocx" pfjaoidjglkajd C:\Users\Admin\AppData\Local\Temp\´«Ææ¹éÀ´_a25.exe
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2680

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Program Files\Common Files\0F7609F0ce.dll" m3
1⤵
- Loads dropped DLL
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Program Files\Common Files\mml99018.ocx" pfjieaoidjglkajd
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:2240

C:\Users\Admin\AppData\Local\Temp\´«Ææ¹éÀ´_a25.exe
C:\Users\Admin\AppData\Local\Temp\\´«Ææ¹éÀ´_a25.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2796

C:\Users\Admin\AppData\Local\Temp\ÈÈÑª´«Ææ_a25.exe
C:\Users\Admin\AppData\Local\Temp\\ÈÈÑª´«Ææ_a25.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\\´«Ææ¹éÀ´_a25.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\\ÈÈÑª´«Ææ_a25.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744

C:\Users\Admin\AppData\Local\Temp\71335cdb13889d6bd866ed8f1e34f9a2.exe
"C:\Users\Admin\AppData\Local\Temp\71335cdb13889d6bd866ed8f1e34f9a2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1184

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\´«Ææ¹éÀ´_a25.exe

Filesize
54KB

MD5
5d553db42163e417216a9427db26c185

SHA1
d85ec61815daa59c0abdc50a1dea98b542e613b0

SHA256
46502dbffdccc2f0c9e23ba3c2a171c085efdc307c5b6c82334fc8a3e10fb337

SHA512
a134441d49725585bd6b74fe605e9e255595df83bd98ccd9962f0bf3978e74562f81ba320e60122276ee7a1cd4d32850c0bccce2e13d79bae910694123dfecf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÈÈÑª´«Ææ_a25.exe

Filesize
56KB

MD5
067dfc39f265054086bbfb6448ad35b4

SHA1
58931e290d2826d2b00d5451f1f9aecb6ecff002

SHA256
49fa36a88e79b9b7b470989d906c206c6d95a037585941bdec05b42d83d02fac

SHA512
607be941f612d0b276535ee8923c3cd95bb036ba1d328781626a118e62c94e7ef4eb3249e3cbcff487aaa8b1c756fc1f63355495e12b45468ca488759f570888

Download Submit
\Program Files\Common Files\0F7609F0ce.dll

Filesize
10KB

MD5
83bf84090cd41cb647b22e0c21e268df

SHA1
d3bf3a2684008150713a6775b80661a57a14bd84

SHA256
e2ddc61c1d5c52f968479ec0284e5d3f47011b2f1b7658cf7ef26673b21549e7

SHA512
c1dea1500809d8ab88b04c206ac1ab9c6c193b91613a8b87d9b88c74c80dfc1d60857cc6b0717ac5f30088d857f066132fb78499bf6de60047b9322e5ea9ea7a

Download Submit
\Program Files\Common Files\mml08016.ocx

Filesize
68KB

MD5
602016c5637d76874907d994517f38f0

SHA1
78c1ac26465af504cd387de0bfa46221736f954e

SHA256
e7363c23763d00f8581c04c459131321b882f9c0948bc35b67ae022305872354

SHA512
d35279553314704fe005dcadf72e083ed82d45404d9d06812ba4613a2800b5666dfbbe4c75860d4c83853b7ca3536a4138118d8d5756aa413f89589cb766a925

Download Submit
\Program Files\Common Files\mml99018.ocx

Filesize
19KB

MD5
02945b7d831efa4524138e98dcdf92e5

SHA1
f402b05b30b4309422d756a966c0ecef31dc7ada

SHA256
4c28f9bf021d38e1ed41c8d458355d9fd3e4accb2259b1f4811b64c5a3ea52ca

SHA512
d704db1b43f848cb1433eb45533b63418c79cb81b1cc77ec3a67b50227b0f987d023be4c04b795c93ad172e6efd4856c341c99df4b8af8528a792b3379200217

Download Submit
memory/1184-39-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1988-2-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2240-49-0x0000000002250000-0x0000000002465000-memory.dmp

Filesize
2.1MB

Download
memory/2240-71-0x0000000010000000-0x0000000010208000-memory.dmp

Filesize
2.0MB

Download
memory/2240-64-0x0000000002250000-0x0000000002465000-memory.dmp

Filesize
2.1MB

Download
memory/2240-55-0x0000000010000000-0x0000000010208000-memory.dmp

Filesize
2.0MB

Download
memory/2656-17-0x00000000023E0000-0x0000000002601000-memory.dmp

Filesize
2.1MB

Download
memory/2676-78-0x0000000002300000-0x0000000002516000-memory.dmp

Filesize
2.1MB

Download
memory/2676-77-0x00000000025C0000-0x00000000027C8000-memory.dmp

Filesize
2.0MB

Download
memory/2676-75-0x0000000010000000-0x0000000010206000-memory.dmp

Filesize
2.0MB

Download
memory/2676-66-0x0000000002300000-0x0000000002516000-memory.dmp

Filesize
2.1MB

Download
memory/2728-74-0x0000000002300000-0x0000000002515000-memory.dmp

Filesize
2.1MB

Download
memory/2728-72-0x0000000002520000-0x0000000002736000-memory.dmp

Filesize
2.1MB

Download
memory/2728-57-0x0000000002520000-0x0000000002736000-memory.dmp

Filesize
2.1MB

Download
memory/2728-73-0x0000000010000000-0x0000000010208000-memory.dmp

Filesize
2.0MB

Download
memory/2728-50-0x0000000002300000-0x0000000002515000-memory.dmp

Filesize
2.1MB

Download
memory/2744-10-0x00000000023D0000-0x00000000025F1000-memory.dmp

Filesize
2.1MB

Download
memory/2784-43-0x0000000000400000-0x0000000000621000-memory.dmp

Filesize
2.1MB

Download
memory/2796-42-0x0000000000400000-0x0000000000621000-memory.dmp

Filesize
2.1MB

Download
memory/2920-63-0x0000000002510000-0x0000000002726000-memory.dmp

Filesize
2.1MB

Download
memory/2920-51-0x00000000020E0000-0x00000000022F5000-memory.dmp

Filesize
2.1MB

Download
memory/2920-76-0x0000000002300000-0x0000000002508000-memory.dmp

Filesize
2.0MB

Download
memory/2920-45-0x0000000010000000-0x0000000010206000-memory.dmp

Filesize
2.0MB

Download
memory/2920-80-0x0000000002510000-0x0000000002726000-memory.dmp

Filesize
2.1MB

Download
memory/2920-79-0x00000000020E0000-0x00000000022F5000-memory.dmp

Filesize
2.1MB

Download
memory/2920-81-0x0000000002510000-0x0000000002726000-memory.dmp

Filesize
2.1MB

Download