c260718529a17dbc9422d74722db007d6c426ff5d553a66ed63842a712ec0b28

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cd3413bc13ff2fe72fb4818d901fbe4.exe
Size

8KB
MD5

0cd3413bc13ff2fe72fb4818d901fbe4
SHA1

4d9b87344fb7abfa4577bc3adf5b22d8f5beca82
SHA256

c260718529a17dbc9422d74722db007d6c426ff5d553a66ed63842a712ec0b28
SHA512

0657cb9faf365259c590296e8ceeeae848d8773676e729b67dbc9755b0cd4e633478fcc883e6206b2451e77f4b926bea960bbacd8b8ff0ebd6f41ee74f6b1cf4
SSDEEP

192:8Qkt0sTlIJCBwcrpcgATYwyKXqast59ELWBJmjGhZL2B:8ft0spfrpcgMBat59yWPmjSVy

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2864	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2720	winl0g0n.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2392-0-0x0000000013140000-0x0000000013149000-memory.dmp	upx
behavioral1/memory/2392-13-0x00000000002C0000-0x00000000002C9000-memory.dmp	upx
behavioral1/memory/2392-14-0x0000000013140000-0x0000000013149000-memory.dmp	upx
behavioral1/files/0x000d0000000122c5-16.dat	upx
behavioral1/memory/2720-22-0x0000000013140000-0x0000000013149000-memory.dmp	upx
behavioral1/memory/2392-29-0x0000000013140000-0x0000000013149000-memory.dmp	upx
behavioral1/memory/2720-28-0x0000000013140000-0x0000000013149000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winl0g0n.exe	0cd3413bc13ff2fe72fb4818d901fbe4.exe
File created	C:\Windows\winl0g0n.exe	0cd3413bc13ff2fe72fb4818d901fbe4.exe
File opened for modification	C:\Windows\winl0g0n.exe	winl0g0n.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2720	winl0g0n.exe
2720	winl0g0n.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2392	0cd3413bc13ff2fe72fb4818d901fbe4.exe
2720	winl0g0n.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2864	2392	0cd3413bc13ff2fe72fb4818d901fbe4.exe	28
PID 2392 wrote to memory of 2864	2392	0cd3413bc13ff2fe72fb4818d901fbe4.exe	28
PID 2392 wrote to memory of 2864	2392	0cd3413bc13ff2fe72fb4818d901fbe4.exe	28
PID 2392 wrote to memory of 2864	2392	0cd3413bc13ff2fe72fb4818d901fbe4.exe	28
PID 2392 wrote to memory of 2720	2392	0cd3413bc13ff2fe72fb4818d901fbe4.exe	30
PID 2392 wrote to memory of 2720	2392	0cd3413bc13ff2fe72fb4818d901fbe4.exe	30
PID 2392 wrote to memory of 2720	2392	0cd3413bc13ff2fe72fb4818d901fbe4.exe	30
PID 2392 wrote to memory of 2720	2392	0cd3413bc13ff2fe72fb4818d901fbe4.exe	30
PID 2720 wrote to memory of 1384	2720	winl0g0n.exe	14
PID 2720 wrote to memory of 1384	2720	winl0g0n.exe	14
PID 2720 wrote to memory of 1384	2720	winl0g0n.exe	14

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1384
- C:\Users\Admin\AppData\Local\Temp\0cd3413bc13ff2fe72fb4818d901fbe4.exe
  "C:\Users\Admin\AppData\Local\Temp\0cd3413bc13ff2fe72fb4818d901fbe4.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\del.bat
    3⤵
    - Deletes itself
    PID:2864
- - C:\Windows\winl0g0n.exe
    C:\Windows\winl0g0n.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Del.bat

Filesize
124B

MD5
c8ca5e9254d686cceb3005343ad1606b

SHA1
c231c72029d84f97e711c68c65201db0339e36b1

SHA256
d846f027c003a7a65148eec3f1e8403ac069fed52041383d12b48f02e163bbb9

SHA512
cb21716f4409c5a322f5c6b0fef83b1809e57129b1c581a20ce1a1e26126a5f681c4a0a96a14f65cefd19e888540a2c0816eb57bfbb6e2bebca05245d940be9f

Download Submit
C:\Windows\winl0g0n.exe

Filesize
8KB

MD5
0cd3413bc13ff2fe72fb4818d901fbe4

SHA1
4d9b87344fb7abfa4577bc3adf5b22d8f5beca82

SHA256
c260718529a17dbc9422d74722db007d6c426ff5d553a66ed63842a712ec0b28

SHA512
0657cb9faf365259c590296e8ceeeae848d8773676e729b67dbc9755b0cd4e633478fcc883e6206b2451e77f4b926bea960bbacd8b8ff0ebd6f41ee74f6b1cf4

Download Submit
memory/1384-23-0x0000000013140000-0x0000000013149000-memory.dmp

Filesize
36KB

Download
memory/1384-25-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1384-26-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2392-0-0x0000000013140000-0x0000000013149000-memory.dmp

Filesize
36KB

Download
memory/2392-13-0x00000000002C0000-0x00000000002C9000-memory.dmp

Filesize
36KB

Download
memory/2392-14-0x0000000013140000-0x0000000013149000-memory.dmp

Filesize
36KB

Download
memory/2392-29-0x0000000013140000-0x0000000013149000-memory.dmp

Filesize
36KB

Download
memory/2720-22-0x0000000013140000-0x0000000013149000-memory.dmp

Filesize
36KB

Download
memory/2720-28-0x0000000013140000-0x0000000013149000-memory.dmp

Filesize
36KB

Download