0f761a060c842a652d54b7314db73fd650ae5b65b042ac59d03f9f8b867c35b8

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

100866ba17da997902f151c321545421.exe
Size

27KB
MD5

100866ba17da997902f151c321545421
SHA1

f9a7525b5db9f9eebe61569069be9ecc5741f781
SHA256

0f761a060c842a652d54b7314db73fd650ae5b65b042ac59d03f9f8b867c35b8
SHA512

3d9a2d565e4d74f0e00993fda030b1768b88e95e1d3d92f0354c0f0861c728c2f6c374318040d24710784dc65e957aecfc2d12437b0a9aaf6c6127b960c6671d
SSDEEP

768:HiZun3CCvBYghyWyAd6DxgjP3zxeEX44jjte:Hz+gh9y1xY3zxNX4upe

Score

7^/10

upx

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2716	rundll32.exe
2716	rundll32.exe
2716	rundll32.exe
2716	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2856-0-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2856-7-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xpsp0res.dll	100866ba17da997902f151c321545421.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2580	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2620	2716	WerFault.exe	30

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2856	100866ba17da997902f151c321545421.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 1896	2856	100866ba17da997902f151c321545421.exe	28
PID 2856 wrote to memory of 1896	2856	100866ba17da997902f151c321545421.exe	28
PID 2856 wrote to memory of 1896	2856	100866ba17da997902f151c321545421.exe	28
PID 2856 wrote to memory of 1896	2856	100866ba17da997902f151c321545421.exe	28
PID 1896 wrote to memory of 2716	1896	cmd.exe	30
PID 1896 wrote to memory of 2716	1896	cmd.exe	30
PID 1896 wrote to memory of 2716	1896	cmd.exe	30
PID 1896 wrote to memory of 2716	1896	cmd.exe	30
PID 1896 wrote to memory of 2716	1896	cmd.exe	30
PID 1896 wrote to memory of 2716	1896	cmd.exe	30
PID 1896 wrote to memory of 2716	1896	cmd.exe	30
PID 2856 wrote to memory of 2724	2856	100866ba17da997902f151c321545421.exe	31
PID 2856 wrote to memory of 2724	2856	100866ba17da997902f151c321545421.exe	31
PID 2856 wrote to memory of 2724	2856	100866ba17da997902f151c321545421.exe	31
PID 2856 wrote to memory of 2724	2856	100866ba17da997902f151c321545421.exe	31
PID 2724 wrote to memory of 2580	2724	cmd.exe	33
PID 2724 wrote to memory of 2580	2724	cmd.exe	33
PID 2724 wrote to memory of 2580	2724	cmd.exe	33
PID 2724 wrote to memory of 2580	2724	cmd.exe	33
PID 2856 wrote to memory of 2120	2856	100866ba17da997902f151c321545421.exe	34
PID 2856 wrote to memory of 2120	2856	100866ba17da997902f151c321545421.exe	34
PID 2856 wrote to memory of 2120	2856	100866ba17da997902f151c321545421.exe	34
PID 2856 wrote to memory of 2120	2856	100866ba17da997902f151c321545421.exe	34
PID 2716 wrote to memory of 2620	2716	rundll32.exe	35
PID 2716 wrote to memory of 2620	2716	rundll32.exe	35
PID 2716 wrote to memory of 2620	2716	rundll32.exe	35
PID 2716 wrote to memory of 2620	2716	rundll32.exe	35

C:\Users\Admin\AppData\Local\Temp\100866ba17da997902f151c321545421.exe
"C:\Users\Admin\AppData\Local\Temp\100866ba17da997902f151c321545421.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c rundll32 xpsp0res.dll,RundllInstall IPRIP
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 xpsp0res.dll,RundllInstall IPRIP
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 228
      4⤵
      Program crash
      PID:2620
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start iprip 'cmd /k whoami' 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\sc.exe
    sc start iprip 'cmd /k whoami' 1
    3⤵
    - Launches sc.exe
    PID:2580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\100866~1.EXE > nul
  2⤵
  PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xpsp0res.dll

Filesize
44KB

MD5
dd393f5b7b35a3aaf6af0c997f3c7ecb

SHA1
a6431c9e7b03b96e979e2cdbbcfd282bbf9e574e

SHA256
5515e4d7a30c611984f6128fb7d1b56e940fc4a1e6b8dca664d8b08375cfa75d

SHA512
371e99cee85f635d41028bc7de1d81e2d9778670f7f46c161289039ec95d225bb25a968599e0c978e9ea1ce91b1e7ae41cf0fcf8d7d90253266afa91d17a1e3e

Download Submit
memory/2856-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2856-7-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download