dd11d23ce78790c82cc07ee9e22ff5b07e5d284f8007ee574b27656325b572e2

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0eda7f7833d52f885efd7d6a71f40d0b.exe
Size

75KB
MD5

0eda7f7833d52f885efd7d6a71f40d0b
SHA1

d00e0ba8dbbcb515971980b6a9ca9e494782d01d
SHA256

dd11d23ce78790c82cc07ee9e22ff5b07e5d284f8007ee574b27656325b572e2
SHA512

7bd3f98ce8efcbb9c5af4888a7d42d8bb0be2704af5cbc2e2e115a672fa3b18771939ae86f426560222bc9279da4eda6354836de785ba37798f305078fbf5dc0
SSDEEP

1536:CRAAzSDQTAcygwT4RaNuNUrrAHdx/8iOBk3XnpEldd5rjGu:MA2SUTaTPuNUrAOBk3XnWd5D

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3472	cstart-tmp.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4044-0-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4044-7-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/files/0x0007000000023039-6.dat	upx
behavioral2/memory/3472-32-0x0000000000400000-0x0000000000429000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\gvcasinos.ini	cstart-tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 3472	4044	0eda7f7833d52f885efd7d6a71f40d0b.exe	89
PID 4044 wrote to memory of 3472	4044	0eda7f7833d52f885efd7d6a71f40d0b.exe	89
PID 4044 wrote to memory of 3472	4044	0eda7f7833d52f885efd7d6a71f40d0b.exe	89

C:\Users\Admin\AppData\Local\Temp\0eda7f7833d52f885efd7d6a71f40d0b.exe
"C:\Users\Admin\AppData\Local\Temp\0eda7f7833d52f885efd7d6a71f40d0b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Users\Admin\AppData\Local\Temp\cstart-tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\cstart-tmp.exe" /wait 4044
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cstart-tmp.exe

Filesize
75KB

MD5
0eda7f7833d52f885efd7d6a71f40d0b

SHA1
d00e0ba8dbbcb515971980b6a9ca9e494782d01d

SHA256
dd11d23ce78790c82cc07ee9e22ff5b07e5d284f8007ee574b27656325b572e2

SHA512
7bd3f98ce8efcbb9c5af4888a7d42d8bb0be2704af5cbc2e2e115a672fa3b18771939ae86f426560222bc9279da4eda6354836de785ba37798f305078fbf5dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\log.dat

Filesize
4KB

MD5
7e475f966d7130d1d50cfe926c4684a7

SHA1
0ff7b40fc1de53c28d30071db8fb8d2eecf2f11a

SHA256
a2cb99b4ad13953531279cc2ba5bc432e64a29b3a48099cf707fc0e090d373a3

SHA512
be9d28d1ab1b83afb911d91ffc135dcb73edfe6e3e0abd03cfd5eebfd01a3f43e2cf947c7e0391b394344c21c4bdf696cb0d4eea506af44bb4de612c54842009

Download Submit
C:\Users\Admin\AppData\Local\Temp\settings.ini

Filesize
36B

MD5
26c759a5864fec759f2a7f25de9126b2

SHA1
abf1ce13092222e3d8bb3b5fbb4aed61dda38a36

SHA256
4a5f65b5e5d77649251661bb7ab6ba4b313e30b3063fb20d5b4677525e5547a7

SHA512
24039d4460fa965093785319bf3abfe1acb9b5eb4322ed8109fd1633737f00b4f28b310afdf04b1f44567e9420ff7d020491585c16125de0b182593c569a4e28

Download Submit
memory/3472-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4044-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4044-7-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download