e1371b7ca6ff9bbbfb4bb56d3bd037ff261687a0218953d877066ffb6a2274ff

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08f25af2c15de686932f61a4fe60d206.exe
Size

29KB
MD5

08f25af2c15de686932f61a4fe60d206
SHA1

33963c77d471294635a7ad321e2e49521b3eb383
SHA256

e1371b7ca6ff9bbbfb4bb56d3bd037ff261687a0218953d877066ffb6a2274ff
SHA512

caf7e32c661e37635935fc8e0640f9b6cb3e88b72be013b645464260e5cad9521dd1a3baaf024321f5ab3bc069df2cfab9bb536be2f794fd5dd0410c2dfc67f3
SSDEEP

768:jk7Ajy1o0J422hHbJHXevS+tzxNFa2AFagUGbzzn4Lgq:jc4xC2hH5XYS+ON517n4Eq

Score

8^/10

persistence upx

Malware Config

Signatures

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "services.exe"	08f25af2c15de686932f61a4fe60d206.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe	08f25af2c15de686932f61a4fe60d206.exe

Executes dropped EXE 1 IoCs

pid	Process
1264	~240632156.tmpe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2744-0-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/2744-1-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/2744-2-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/2744-6-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/2744-11-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2744	08f25af2c15de686932f61a4fe60d206.exe
2744	08f25af2c15de686932f61a4fe60d206.exe
2744	08f25af2c15de686932f61a4fe60d206.exe
2744	08f25af2c15de686932f61a4fe60d206.exe
2744	08f25af2c15de686932f61a4fe60d206.exe
2744	08f25af2c15de686932f61a4fe60d206.exe
2744	08f25af2c15de686932f61a4fe60d206.exe
2744	08f25af2c15de686932f61a4fe60d206.exe
2744	08f25af2c15de686932f61a4fe60d206.exe
2744	08f25af2c15de686932f61a4fe60d206.exe
2744	08f25af2c15de686932f61a4fe60d206.exe
2744	08f25af2c15de686932f61a4fe60d206.exe
1264	~240632156.tmpe
1264	~240632156.tmpe
1264	~240632156.tmpe
1264	~240632156.tmpe
1264	~240632156.tmpe
1264	~240632156.tmpe
1264	~240632156.tmpe
1264	~240632156.tmpe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	08f25af2c15de686932f61a4fe60d206.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 1904	2744	08f25af2c15de686932f61a4fe60d206.exe	91
PID 2744 wrote to memory of 1904	2744	08f25af2c15de686932f61a4fe60d206.exe	91
PID 2744 wrote to memory of 1904	2744	08f25af2c15de686932f61a4fe60d206.exe	91
PID 2744 wrote to memory of 1264	2744	08f25af2c15de686932f61a4fe60d206.exe	102
PID 2744 wrote to memory of 1264	2744	08f25af2c15de686932f61a4fe60d206.exe	102
PID 2744 wrote to memory of 1264	2744	08f25af2c15de686932f61a4fe60d206.exe	102

C:\Users\Admin\AppData\Local\Temp\08f25af2c15de686932f61a4fe60d206.exe
"C:\Users\Admin\AppData\Local\Temp\08f25af2c15de686932f61a4fe60d206.exe"
1⤵
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\SysWOW64\cmd.exe
  cmd
  2⤵
  PID:1904
- C:\Users\Admin\AppData\Local\Temp\~240632156.tmpe
  C:\Users\Admin\AppData\Local\Temp\~240632156.tmpe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~240632156.tmpe

Filesize
7KB

MD5
826132c4b9f500a26274a8f589415b2d

SHA1
05f0990663ca2b31d8b320bccb57e721c4f3fdcf

SHA256
6e24832a7629050504c00b5ed93b0e78c37151352975b756d2a3365797ac695f

SHA512
57788e514695f82e6916fec3718e876813d79ec4137f4c43fcb28e47cd3f818285329ee90a5bc4d3a9d1534781f989f5e464cd02d51afbb6efcd728794f71c74

Download Submit
memory/2744-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2744-1-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2744-2-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2744-6-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2744-11-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download