6c1e41ee14bd3f304c69e54412b5c732e055d082a0ca17a80278201eb80b09c2

Analysis

max time kernel
121s
max time network
138s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0abfeea8052c65db343b0f40662c6158.exe
Size

13KB
MD5

0abfeea8052c65db343b0f40662c6158
SHA1

f842cce03bd696d352d731779f6a776e30f3eab9
SHA256

6c1e41ee14bd3f304c69e54412b5c732e055d082a0ca17a80278201eb80b09c2
SHA512

8efe08488dfe5601b0849163b67d7725cea5f7ef9c48198a3602a42048655f8fa85d29c467de94ce0b241f2e96dd6dd6df4f62730d72471fb92119893bce0bb2
SSDEEP

384:a/gPsXVsdS0dflYjSqY8TPYnTTh+8WAOJWIs:a/VMl7x8TWh8

Score

8^/10

evasion upx

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	0abfeea8052c65db343b0f40662c6158.exe

Disables Task Manager via registry modification
evasion

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1680-0-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/1680-3-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/1680-4-0x0000000000400000-0x0000000000412000-memory.dmp	upx

Runs net.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1680	0abfeea8052c65db343b0f40662c6158.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2700	1680	0abfeea8052c65db343b0f40662c6158.exe	29
PID 1680 wrote to memory of 2700	1680	0abfeea8052c65db343b0f40662c6158.exe	29
PID 1680 wrote to memory of 2700	1680	0abfeea8052c65db343b0f40662c6158.exe	29
PID 1680 wrote to memory of 2700	1680	0abfeea8052c65db343b0f40662c6158.exe	29
PID 1680 wrote to memory of 2896	1680	0abfeea8052c65db343b0f40662c6158.exe	31
PID 1680 wrote to memory of 2896	1680	0abfeea8052c65db343b0f40662c6158.exe	31
PID 1680 wrote to memory of 2896	1680	0abfeea8052c65db343b0f40662c6158.exe	31
PID 1680 wrote to memory of 2896	1680	0abfeea8052c65db343b0f40662c6158.exe	31
PID 1680 wrote to memory of 2900	1680	0abfeea8052c65db343b0f40662c6158.exe	42
PID 1680 wrote to memory of 2900	1680	0abfeea8052c65db343b0f40662c6158.exe	42
PID 1680 wrote to memory of 2900	1680	0abfeea8052c65db343b0f40662c6158.exe	42
PID 1680 wrote to memory of 2900	1680	0abfeea8052c65db343b0f40662c6158.exe	42
PID 1680 wrote to memory of 3028	1680	0abfeea8052c65db343b0f40662c6158.exe	33
PID 1680 wrote to memory of 3028	1680	0abfeea8052c65db343b0f40662c6158.exe	33
PID 1680 wrote to memory of 3028	1680	0abfeea8052c65db343b0f40662c6158.exe	33
PID 1680 wrote to memory of 3028	1680	0abfeea8052c65db343b0f40662c6158.exe	33
PID 1680 wrote to memory of 2612	1680	0abfeea8052c65db343b0f40662c6158.exe	41
PID 1680 wrote to memory of 2612	1680	0abfeea8052c65db343b0f40662c6158.exe	41
PID 1680 wrote to memory of 2612	1680	0abfeea8052c65db343b0f40662c6158.exe	41
PID 1680 wrote to memory of 2612	1680	0abfeea8052c65db343b0f40662c6158.exe	41
PID 1680 wrote to memory of 2860	1680	0abfeea8052c65db343b0f40662c6158.exe	36
PID 1680 wrote to memory of 2860	1680	0abfeea8052c65db343b0f40662c6158.exe	36
PID 1680 wrote to memory of 2860	1680	0abfeea8052c65db343b0f40662c6158.exe	36
PID 1680 wrote to memory of 2860	1680	0abfeea8052c65db343b0f40662c6158.exe	36
PID 1680 wrote to memory of 2288	1680	0abfeea8052c65db343b0f40662c6158.exe	40
PID 1680 wrote to memory of 2288	1680	0abfeea8052c65db343b0f40662c6158.exe	40
PID 1680 wrote to memory of 2288	1680	0abfeea8052c65db343b0f40662c6158.exe	40
PID 1680 wrote to memory of 2288	1680	0abfeea8052c65db343b0f40662c6158.exe	40
PID 1680 wrote to memory of 1168	1680	0abfeea8052c65db343b0f40662c6158.exe	37
PID 1680 wrote to memory of 1168	1680	0abfeea8052c65db343b0f40662c6158.exe	37
PID 1680 wrote to memory of 1168	1680	0abfeea8052c65db343b0f40662c6158.exe	37
PID 1680 wrote to memory of 1168	1680	0abfeea8052c65db343b0f40662c6158.exe	37
PID 1680 wrote to memory of 2832	1680	0abfeea8052c65db343b0f40662c6158.exe	44
PID 1680 wrote to memory of 2832	1680	0abfeea8052c65db343b0f40662c6158.exe	44
PID 1680 wrote to memory of 2832	1680	0abfeea8052c65db343b0f40662c6158.exe	44
PID 1680 wrote to memory of 2832	1680	0abfeea8052c65db343b0f40662c6158.exe	44
PID 1680 wrote to memory of 2588	1680	0abfeea8052c65db343b0f40662c6158.exe	45
PID 1680 wrote to memory of 2588	1680	0abfeea8052c65db343b0f40662c6158.exe	45
PID 1680 wrote to memory of 2588	1680	0abfeea8052c65db343b0f40662c6158.exe	45
PID 1680 wrote to memory of 2588	1680	0abfeea8052c65db343b0f40662c6158.exe	45
PID 1680 wrote to memory of 2596	1680	0abfeea8052c65db343b0f40662c6158.exe	46
PID 1680 wrote to memory of 2596	1680	0abfeea8052c65db343b0f40662c6158.exe	46
PID 1680 wrote to memory of 2596	1680	0abfeea8052c65db343b0f40662c6158.exe	46
PID 1680 wrote to memory of 2596	1680	0abfeea8052c65db343b0f40662c6158.exe	46
PID 1680 wrote to memory of 2620	1680	0abfeea8052c65db343b0f40662c6158.exe	47
PID 1680 wrote to memory of 2620	1680	0abfeea8052c65db343b0f40662c6158.exe	47
PID 1680 wrote to memory of 2620	1680	0abfeea8052c65db343b0f40662c6158.exe	47
PID 1680 wrote to memory of 2620	1680	0abfeea8052c65db343b0f40662c6158.exe	47
PID 2700 wrote to memory of 2308	2700	net.exe	57
PID 2700 wrote to memory of 2308	2700	net.exe	57
PID 2700 wrote to memory of 2308	2700	net.exe	57
PID 2700 wrote to memory of 2308	2700	net.exe	57
PID 1680 wrote to memory of 2128	1680	0abfeea8052c65db343b0f40662c6158.exe	60
PID 1680 wrote to memory of 2128	1680	0abfeea8052c65db343b0f40662c6158.exe	60
PID 1680 wrote to memory of 2128	1680	0abfeea8052c65db343b0f40662c6158.exe	60
PID 1680 wrote to memory of 2128	1680	0abfeea8052c65db343b0f40662c6158.exe	60
PID 1680 wrote to memory of 1988	1680	0abfeea8052c65db343b0f40662c6158.exe	50
PID 1680 wrote to memory of 1988	1680	0abfeea8052c65db343b0f40662c6158.exe	50
PID 1680 wrote to memory of 1988	1680	0abfeea8052c65db343b0f40662c6158.exe	50
PID 1680 wrote to memory of 1988	1680	0abfeea8052c65db343b0f40662c6158.exe	50
PID 2900 wrote to memory of 1908	2900	net.exe	55
PID 2900 wrote to memory of 1908	2900	net.exe	55
PID 2900 wrote to memory of 1908	2900	net.exe	55
PID 2900 wrote to memory of 1908	2900	net.exe	55

C:\Users\Admin\AppData\Local\Temp\0abfeea8052c65db343b0f40662c6158.exe
"C:\Users\Admin\AppData\Local\Temp\0abfeea8052c65db343b0f40662c6158.exe"
1⤵
- Disables RegEdit via registry modification
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\SysWOW64\net.exe
  net stop "Event Log"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Event Log"
    3⤵
    PID:2308
- C:\Windows\SysWOW64\net.exe
  net stop "Messenger"
  2⤵
  PID:2896
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Messenger"
    3⤵
    PID:1072
- C:\Windows\SysWOW64\net.exe
  net stop "TrueVector Internet Monitor"
  2⤵
  PID:3028
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "TrueVector Internet Monitor"
    3⤵
    PID:696
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Internet Security Accounts Manager"
  2⤵
  PID:2860
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Internet Security Accounts Manager"
    3⤵
    PID:784
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Internet Security Service"
  2⤵
  PID:1168
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Internet Security Service"
    3⤵
    PID:980
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Internet Security Proxy Service"
  2⤵
  PID:2288
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Internet Security Proxy Service"
    3⤵
    PID:984
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:2612
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:2880
- C:\Windows\SysWOW64\net.exe
  net stop "Zonealarm"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Zonealarm"
    3⤵
    PID:1908
- C:\Windows\SysWOW64\net.exe
  net stop "Norton AntiVirus Server"
  2⤵
  PID:2832
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton AntiVirus Server"
    3⤵
    PID:268
- C:\Windows\SysWOW64\net.exe
  net stop "Norton AntiVirus Auto Protect Service"
  2⤵
  PID:2588
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton AntiVirus Auto Protect Service"
    3⤵
    PID:1084
- C:\Windows\SysWOW64\net.exe
  net stop "Norton AntiVirus Client"
  2⤵
  PID:2596
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton AntiVirus Client"
    3⤵
    PID:1108
- C:\Windows\SysWOW64\net.exe
  net stop "Symantec AntiVirus Client"
  2⤵
  PID:2620
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Symantec AntiVirus Client"
    3⤵
    PID:2564
- C:\Windows\SysWOW64\net.exe
  net stop "DefWatch"
  2⤵
  PID:2804
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "DefWatch"
    3⤵
    PID:2140
- C:\Windows\SysWOW64\net.exe
  net stop "IPSEC Policy Agent"
  2⤵
  PID:1988
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IPSEC Policy Agent"
    3⤵
    PID:1868
- C:\Windows\SysWOW64\net.exe
  net stop "WMDM PMSP Service"
  2⤵
  PID:2932
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "WMDM PMSP Service"
    3⤵
    PID:1876
- C:\Windows\SysWOW64\net.exe
  net stop "McShield"
  2⤵
  PID:2128
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McShield"
    3⤵
    PID:2812

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1680-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1680-3-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1680-4-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download