7f03ba236c90f9093d816809104f9fa50511c2a24613004d54336770f17dae45

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/12/2023, 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe703956cc316fb282fb0dbf4b44be25.exe
Size

405KB
MD5

fe703956cc316fb282fb0dbf4b44be25
SHA1

bde9045c1e024099a6e8a3df9d7ee8dc200b10bb
SHA256

7f03ba236c90f9093d816809104f9fa50511c2a24613004d54336770f17dae45
SHA512

3f6bb6623324abd801d5b1fef54c6598707ce805319c50961aa9c3948e084775103266470fb2303aeec4ff76ecf3b39c88740fce4c1b8e44780aaa1b0361f632
SSDEEP

12288:EHLUMuiv9RgfSjAzRtyLpVv8Nukz2ztDx7K:etARCnkzR

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1948	server.exe
2728	server.exe

Loads dropped DLL 3 IoCs

pid	Process
1300	fe703956cc316fb282fb0dbf4b44be25.exe
1300	fe703956cc316fb282fb0dbf4b44be25.exe
1948	server.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1300-0-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/files/0x000c0000000132e1-6.dat	upx
behavioral1/files/0x000c0000000132e1-13.dat	upx
behavioral1/memory/1300-14-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/1948-16-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1300-8-0x0000000002640000-0x00000000026AC000-memory.dmp	upx
behavioral1/memory/1948-26-0x0000000000400000-0x000000000046C000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1300-14-0x0000000000400000-0x00000000004B8000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1948 set thread context of 2728	1948	server.exe	29
PID 1948 set thread context of 0	1948	server.exe
PID 1948 set thread context of 0	1948	server.exe
PID 1948 set thread context of 0	1948	server.exe
PID 1948 set thread context of 0	1948	server.exe
PID 1948 set thread context of 0	1948	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2728	server.exe
2728	server.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1948	server.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 1948	1300	fe703956cc316fb282fb0dbf4b44be25.exe	28
PID 1300 wrote to memory of 1948	1300	fe703956cc316fb282fb0dbf4b44be25.exe	28
PID 1300 wrote to memory of 1948	1300	fe703956cc316fb282fb0dbf4b44be25.exe	28
PID 1300 wrote to memory of 1948	1300	fe703956cc316fb282fb0dbf4b44be25.exe	28
PID 1948 wrote to memory of 2728	1948	server.exe	29
PID 1948 wrote to memory of 2728	1948	server.exe	29
PID 1948 wrote to memory of 2728	1948	server.exe	29
PID 1948 wrote to memory of 2728	1948	server.exe	29
PID 1948 wrote to memory of 2728	1948	server.exe	29
PID 1948 wrote to memory of 2728	1948	server.exe	29
PID 1948 wrote to memory of 2728	1948	server.exe	29
PID 1948 wrote to memory of 2728	1948	server.exe	29
PID 1948 wrote to memory of 0	1948	server.exe
PID 1948 wrote to memory of 0	1948	server.exe
PID 1948 wrote to memory of 0	1948	server.exe
PID 1948 wrote to memory of 0	1948	server.exe
PID 1948 wrote to memory of 0	1948	server.exe
PID 1948 wrote to memory of 0	1948	server.exe
PID 1948 wrote to memory of 0	1948	server.exe
PID 1948 wrote to memory of 0	1948	server.exe
PID 1948 wrote to memory of 0	1948	server.exe
PID 1948 wrote to memory of 0	1948	server.exe
PID 1948 wrote to memory of 0	1948	server.exe
PID 1948 wrote to memory of 0	1948	server.exe
PID 1948 wrote to memory of 0	1948	server.exe
PID 1948 wrote to memory of 0	1948	server.exe
PID 1948 wrote to memory of 0	1948	server.exe
PID 1948 wrote to memory of 0	1948	server.exe
PID 1948 wrote to memory of 0	1948	server.exe
PID 1948 wrote to memory of 0	1948	server.exe
PID 1948 wrote to memory of 0	1948	server.exe
PID 1948 wrote to memory of 0	1948	server.exe
PID 2728 wrote to memory of 1200	2728	server.exe	11
PID 2728 wrote to memory of 1200	2728	server.exe	11
PID 2728 wrote to memory of 1200	2728	server.exe	11
PID 2728 wrote to memory of 1200	2728	server.exe	11

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\fe703956cc316fb282fb0dbf4b44be25.exe
  "C:\Users\Admin\AppData\Local\Temp\fe703956cc316fb282fb0dbf4b44be25.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    C:\Users\Admin\AppData\Local\Temp/server.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
45KB

MD5
e0974a0e7b407bfc7d908200f7c8e6fb

SHA1
e94101b35399453813e92c315de923021c60d3d5

SHA256
6e2db2298b5d9e39a1b3004ff82596dd2e5c48bb5ad635ae5181502be9acd4a7

SHA512
afb43b3ba96b2c87eb0482231f5ef424dfb623850ea599be6b5e6a4971228f2084191a05c6eefb847295d97228baf653798985af993215f5be4630ef14560d45

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
124KB

MD5
6b69c911de7e26c0620c4cf5034992f4

SHA1
03719ae8128a3862750a20fc70f2d40ebd45168f

SHA256
81a5b891289fca909493bc6077f5be81bd6f8ffe401a1a488fa0b84d0cbe8b4e

SHA512
96a53d6688a45f1c123670c697876e3e4d9e7f102aa07dcdd4cb19b3fa104684730f7211c0710e00072b7718a623c5a68614ec39a9af7b1b3df0ffe8a2e96784

Download Submit
memory/1200-28-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1200-31-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1300-14-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1300-8-0x0000000002640000-0x00000000026AC000-memory.dmp

Filesize
432KB

Download
memory/1300-0-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1300-15-0x0000000002640000-0x00000000026AC000-memory.dmp

Filesize
432KB

Download
memory/1948-16-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1948-26-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2728-21-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2728-24-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2728-25-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2728-27-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2728-40-0x0000000000410000-0x0000000000477000-memory.dmp

Filesize
412KB

Download
memory/2728-42-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download