e1020f628fea15bdc4daa9f6d682b64df979ca99f658485f5bea2ad4b2da25b6

Analysis

max time kernel
141s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 16:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7af394c83348184a734b37fd714d94ed.exe
Size

1.3MB
MD5

7af394c83348184a734b37fd714d94ed
SHA1

e1c8423f33659437189a032a10f8ece9b1fd555f
SHA256

e1020f628fea15bdc4daa9f6d682b64df979ca99f658485f5bea2ad4b2da25b6
SHA512

6a4eddb15c6b2eee8be09242da1e67fb0d7a963c32eb7c4c0082e5a8b2cb9b827a94fc6918e32cca4457c0d7b0991e4fb1ce110bb1b3a1770eefb94a8b69b34a
SSDEEP

24576:ABqBEqfRXyRLyvMgiCMKt4KsjNd3RIUaW8Klyg7Aor439s3rB+b:AoBEORiRLTAsHjNdSyV2s3Yb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2480	7za.exe
2032	fupx_Ko.exe

Loads dropped DLL 4 IoCs

pid	Process
1228	7af394c83348184a734b37fd714d94ed.exe
1228	7af394c83348184a734b37fd714d94ed.exe
1228	7af394c83348184a734b37fd714d94ed.exe
1228	7af394c83348184a734b37fd714d94ed.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 2480	1228	7af394c83348184a734b37fd714d94ed.exe	28
PID 1228 wrote to memory of 2480	1228	7af394c83348184a734b37fd714d94ed.exe	28
PID 1228 wrote to memory of 2480	1228	7af394c83348184a734b37fd714d94ed.exe	28
PID 1228 wrote to memory of 2480	1228	7af394c83348184a734b37fd714d94ed.exe	28
PID 1228 wrote to memory of 2032	1228	7af394c83348184a734b37fd714d94ed.exe	30
PID 1228 wrote to memory of 2032	1228	7af394c83348184a734b37fd714d94ed.exe	30
PID 1228 wrote to memory of 2032	1228	7af394c83348184a734b37fd714d94ed.exe	30
PID 1228 wrote to memory of 2032	1228	7af394c83348184a734b37fd714d94ed.exe	30

C:\Users\Admin\AppData\Local\Temp\7af394c83348184a734b37fd714d94ed.exe
"C:\Users\Admin\AppData\Local\Temp\7af394c83348184a734b37fd714d94ed.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\temp44\7za.exe
  "C:\Users\Admin\AppData\Local\Temp\temp44\7za.exe" x -t7z "C:\Users\Admin\AppData\Local\Temp\temp44\pack.7z" -o"C:\Users\Admin\AppData\Local\Temp\temp44"
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Users\Admin\AppData\Local\Temp\temp44\fupx_Ko.exe
  C:\Users\Admin\AppData\Local\Temp\temp44\fupx_Ko.exe
  2⤵
  - Executes dropped EXE
  PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\temp44\fupx.ini

Filesize
346B

MD5
ec208b5727737f6d1bd0b1c181c28f3d

SHA1
66c31f666836533bbd3926fe4fa5a55e67bce200

SHA256
b09b80f98252453284495452c81f29ea77411c419174d1a289e7c83ecdca1ce8

SHA512
907a75d2fb59201702cd9d292e78d7ca424cb375b83e683f346f5c2dece806cdc55e4b252c05ab945eff8ec9c7676dc7a87c59510ec9736f5324a8a1e2f701a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp44\fupx_Ko.exe

Filesize
841KB

MD5
3c890273214faa477a8633121489284f

SHA1
4af8c89b48d8f06e8619c1af80e5a6cfaf835529

SHA256
fa48ec7ca2475a38fbc7074d4f77a72f8edd8719c4ab33ee15ff5c2a955ff8b5

SHA512
fcee8ac8b6f4a8d63774b116f20f720cf8f5ae6553b93ca6dbfe900fb8d145665111ab1b7eb766f776c23d19df60b56d915b11124f40b95196d153c510f71d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp44\fupx_Ko.exe

Filesize
321KB

MD5
45a011467d3b2366abbfefc6b9368c98

SHA1
4cfa10d10b27792e06929b52da03abf727a97e0a

SHA256
48acefce43f1a5cc5f81919ba587dfb793b6459b6c939b3c65873f7789ea216b

SHA512
048f6567e1f1c565914d69e8686454ca5d5d4ab3121b60e84bd2f7b6a2aad6a7b4339c8e20bffb4b8adfb44782eb92aa4d2778c6900c6cc2b985001522230488

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp44\pack.7z

Filesize
588KB

MD5
aabf68ccedc0d11fd8c5608af85c248a

SHA1
03967cdb07a0c16791f57ad0309af296b7d76f1a

SHA256
a9e5c8105f7795030e40879b3261cf0ecd0b970932e5a231f2015c7d19825d09

SHA512
275fae03a176e211ebff39594f423ef03e45b362c4444f4e4142a925519f6ac4905bce4d51d109fc9094661ce5ec4bfce17169f5f2eefec93fba6e6a5b219124

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp44\profiles\01. Default compression - no backup file.ini

Filesize
1KB

MD5
e61381d5acd858053b3611a95f19fb59

SHA1
4578a51e4b05e4010ac3207900f95859c22e80a0

SHA256
890e2c99e6f3bdc8d454960c9cc72e1d6bc1426c662d14d302604bdc1c77088f

SHA512
2cd5c4824d057e051eafd9de9308488648ceddcc3eaea9128f5a90311ac5387cb4663467ac07efd84a4ce7b07b01616b100bf8e4d240abec0c681deb73889be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp44\profiles\02. Default compression - backup file.ini

Filesize
1KB

MD5
969ed68242ea98e7de95d043d82ec2fa

SHA1
d733f45484f064256a45185a96a0663657833d44

SHA256
b550dccd6953e1ded43f8546c780d767774039a9763e91bc2463b2c77833ce59

SHA512
5584553d899e41071bc0f0e34c33ea44d7f60349ddaf3b9395a8ad90824f390e4e585111907fc5cca6b291ef97be8e5ccce9107daf70306b7f2562856e4b4514

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp44\profiles\03. Default compression - no res.ini

Filesize
1KB

MD5
f11687a4cfac72d3c92977e0ed53d033

SHA1
20aeb4dd1abab23f225e66496ba1d0da23e84d26

SHA256
22373dac010cc6d17fffece40218ec9609c8b774288b3b6a00984eb60242c203

SHA512
4046c7533b8c3438e7cc2d1d8948583b3d11c117de7d1f529f670b51c47af07bb60c9eb19358163fb316da3d2e30920648ef577c5ac05ac0062138a956396e17

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp44\profiles\10. Best compression - no backup file.ini

Filesize
1KB

MD5
30850cada5f188a4f08d8794fb152f89

SHA1
a1b4081dec06c044741aa5a4af56eea273a85bf7

SHA256
6bc97c41e850d8af67ff68bda81831ca80527bfe6247f9ea7f5fe667cf5944a3

SHA512
0bedba48958c1254053cdd90466c330a3d1d1d9146524c7001e7b4e13058a887e9860afb2175f9e221f8e7d367579ff4433435d39f4167e004daf86618a7b394

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp44\profiles\11. Best compression - backup file.ini

Filesize
1KB

MD5
a16672973f85a1b523652a1d94ae1188

SHA1
637bd4317d2c50e002d1f6eafa4af4fb2a1f5ba2

SHA256
e3916d13261bbd3c1163aac614f1ec4acc27eec10374cf1788b94e0a7e0846e5

SHA512
a30ba3a6ef8ea2aa901fea9f2a64301c494227c1eb3cdab2fb04ad90e9d7bee169d2299efacdf37b9a4bbb3d72bca007ba860929147f1df8b38b9138dd67a861

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp44\profiles\12. Best compression - no res.ini

Filesize
1KB

MD5
e9179948a9b08d7f84ee27ddf6c5b2d7

SHA1
1cc951ada8851a6070ca9b1ac717e69ca03c10d1

SHA256
057e094471f650e610eba5d791d9ffa25c09728814d8fa8fa5f00e1ca9a8ceca

SHA512
9c479f7f504de3ada188dd07e0df14a31e0de3fcb22d2c3b5eac96955c5b0a483f6d048b3c99937bddcd5eb88b75c9eda4077f9fe52f5a66ff9043b2deb7d54f

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp44\profiles\20. Default compression - CPU 8086.ini

Filesize
1KB

MD5
f77ed212ef2bd3490d7935df003954d8

SHA1
838d976200e87f276f24694b5bea27fbdadbcaa3

SHA256
e0fa551f7b669978738731da5bab697bdca548694b51d09128d123d979670c50

SHA512
2bffa129187ede8d8a9ba90744608d82c08a7eb0a9c27d0db046a40936a078edae695afc6ca304d6b3710b01254ef4da97aee9ca0619a40dc36821ffb66f943b

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp44\profiles\21. Default compression - LZMA.ini

Filesize
1KB

MD5
41ad30bd2aecbe1c4371399680351f14

SHA1
df0e527c66e41244f2a9ce84862698f1b8ea40f7

SHA256
d871a36ff8f480888e5b6f789d3d60210ef02a372a06d81ab89a79c476159914

SHA512
f377c9c38416bfed9fe7bdac297f220d95a58750eb95b03963b204d60a0dac8cccd443253c778c852df05fa91604d25c43e387a0222858458b9cbea27338fa92

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp44\profiles\30. User.ini

Filesize
1KB

MD5
ac26b1824efad4a3591f47db8a5b9331

SHA1
7d800cd74066ff95cce91fea2907f5b6262c1b1b

SHA256
450295fda55a5d21be4c40e70cefe13357da6a1896eef3898705d4801b18d029

SHA512
4c5ca0134e7032b34af75fdfee051bdaa0ae1bcf84c67b819e10221c5d6081ca298388b94e7b6ee46282afa7bb512ef1d41d0daf7cd7a3a3fa59327cbc1ba90a

Download Submit
\Users\Admin\AppData\Local\Temp\temp44\7za.exe

Filesize
448KB

MD5
3f60fc497a1968fe7eed36ea74bb983f

SHA1
7451616548e6d429c0ae09184091e109f57886d2

SHA256
f745b96a72dc63bc0a618122a412e1451dab89a204d79ac70073a46e11ed29c6

SHA512
8cbf700e17c68d7fd657578efcd30e740cc322a1fa64e3c0ee4777b5a096ef8e84ccf4aadd4bf4b3c4499f35d617ac74e868c2eae57b9383227b8036bd4c90ff

Download Submit
\Users\Admin\AppData\Local\Temp\temp44\7za.exe

Filesize
505KB

MD5
4d7d12da20ab48fc20e6cb5b0d4ebc0d

SHA1
d9d09cdb20a6711cbe9e29662e88502dec1d305c

SHA256
061c79c063ecdb18b2cd134a7a7545b5d25fd3577630b9d497cbaa1139c7db7c

SHA512
1081ab4f640429ce87704a2d2cda6bab8a5f91375fb8508904c816a4c7cf2847cc6c7c83ae2a284fe4b74f0faf253b78d1accd5ef537b0531476dfe991201958

Download Submit
\Users\Admin\AppData\Local\Temp\temp44\fupx_Ko.exe

Filesize
645KB

MD5
7c090866042c67046f997d1913062ed4

SHA1
addd7ca4e7ca1d76de5972dcc263346455e6ce52

SHA256
91c8e7cbb6f41938fa58db22e845f485cee663ea8d58b06fb66faa8094e05372

SHA512
21ad35f887693e45937c31d15b2a05c6570e32f3ebf6240cdde21340d2bd282baa0c0be3662d915d303e3a31a3fd8abd19db205a6bdc824bc2364967b3c0b6ec

Download Submit
memory/1228-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2032-62-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2032-74-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2032-76-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download