9e33e2870c4c8e1232706735a6741d387a7370cda9eb2c2c7da10126c059da11

Analysis

max time kernel
141s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tcmd756a.exe
Size

3.1MB
MD5

018b847fb44bbbae21236d995aca172e
SHA1

0771334a3620ebdca43c8e73fad3cccb321284df
SHA256

75733d8a571aaede68bd8e6356367e908386d6fdd90853ec9136d09de2929bc9
SHA512

3e1e77d6ce2f6db901d6ab90f151c11f28486067bb01d53c30e7809508275974da0ee7d1e53ebbc9d7146e1637e21e562cb83af474a3016abab2fe29417fb9d8
SSDEEP

49152:cPaz0sfVVr2muAnosrzvh/HktFh5vVlgFBD44t6HE7njAoQXf3g1XiRHudgkOFOF:6azhVVSmuiTBiblVy44t6KnFOVs

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2876	install.exe

Loads dropped DLL 1 IoCs

pid	Process
2356	tcmd756a.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x002d0000000142b4-21.dat	upx
behavioral1/memory/2356-23-0x00000000002A0000-0x00000000002C7000-memory.dmp	upx
behavioral1/memory/2876-26-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2876-30-0x0000000000400000-0x0000000000427000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2876	install.exe
2876	install.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2876	install.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2876	2356	tcmd756a.exe	28
PID 2356 wrote to memory of 2876	2356	tcmd756a.exe	28
PID 2356 wrote to memory of 2876	2356	tcmd756a.exe	28
PID 2356 wrote to memory of 2876	2356	tcmd756a.exe	28
PID 2356 wrote to memory of 2876	2356	tcmd756a.exe	28
PID 2356 wrote to memory of 2876	2356	tcmd756a.exe	28
PID 2356 wrote to memory of 2876	2356	tcmd756a.exe	28

C:\Users\Admin\AppData\Local\Temp\tcmd756a.exe
"C:\Users\Admin\AppData\Local\Temp\tcmd756a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Local\Temp\$wc0\install.exe
  C:\Users\Admin\AppData\Local\Temp\$wc0\install.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$wc0\install.inf

Filesize
4KB

MD5
15c423e42a101c8eb15253d6fbe83233

SHA1
ab6da33a1dadc9b67a5f83e949ec8cb55814824e

SHA256
b4e31073badfe0159ff62522b9d4e34f5b010910843ee25f65ff904b6dfb5e4a

SHA512
356073aac21ae5c8b111fb775912509f5d49b7a0795e4896c9d1aa0a8dc2d58f60fd17a5edd5bbd2f9259916b90f9e6ac1a6b67de52a64938dd08925183c5c81

Download Submit
C:\Users\Admin\AppData\Local\Temp\$wc0\install.lng

Filesize
52KB

MD5
c01564dcb319d291724dc9531b591456

SHA1
f81ada09cf6a6fa36d1e5cf993964a7a004c32ab

SHA256
f479bcbdb563f29d7b88c142226372e5ebad59f98b4b9d56428aab630d3b8ba5

SHA512
0a8f915300d3a78602c321a5c143aa2bb26898cc7a433ef8cbae637674ba50cf43ad1f22a202627dc533fefaef58a62db05e4647254c238df075411357ee631a

Download Submit
\Users\Admin\AppData\Local\Temp\$wc0\INSTALL.EXE

Filesize
61KB

MD5
0ec1ed7b26450d411b99f2bd812dcef2

SHA1
39982d4490ee9f9caa654be6948f9b1690b114af

SHA256
ee3c7ff5b78edf0ea14a500bd7aaba36f1fb85dd7ef576415f1e1daf09e79dfc

SHA512
d9859e6550a6701d24016eb09cc3a9bd7bcefc3b54a3af3db7b1807ce149236ee87fc576971934512eae6d6032fdf08423b066b9c788f37cf0962088fa6fb33f

Download Submit
memory/2356-23-0x00000000002A0000-0x00000000002C7000-memory.dmp

Filesize
156KB

Download
memory/2356-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2876-26-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2876-30-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download