6a4d0d0533289a4772faecb5cf0b674529ca8932faaa51b4f58adc791f1afb23

Analysis

max time kernel
15s
max time network
142s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10a43ca9131f1575adbc9473bcaa761a.exe
Size

477KB
MD5

10a43ca9131f1575adbc9473bcaa761a
SHA1

fdeb43537f4838c37e40665113c597c5b74035d2
SHA256

6a4d0d0533289a4772faecb5cf0b674529ca8932faaa51b4f58adc791f1afb23
SHA512

7a56a971549f757c6e6e675de2e7447e1676b116c047837158aae2b66763e6f05621d4cb74d489598ec57a8fe1c84d15e20265ad5a884449763ab4aa96c93e14
SSDEEP

6144:t515g515g515g515g5151515seP1ZVI51yZAv:N1M51yZAv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2184	exc.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/888-1-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2184-10-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000a000000013a21-5.dat	upx
behavioral1/files/0x0001000000003e93-25.dat	upx
behavioral1/memory/2184-276-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/888-275-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/888-618-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2184-2258-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/888-2256-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\azroleui.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\COLORCNV.DLL	exc.exe
File created	C:\WINDOWS\SysWOW64\cryptbase.dll	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\C_1255.NLS	exc.exe
File created	C:\WINDOWS\SysWOW64\adsmsext.dll	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\api-ms-win-crt-convert-l1-1-0.dll	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\api-ms-win-crt-time-l1-1-0.dll	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\COLORCNV.DLL	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\C_875.NLS	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\AUDIOKSE.dll	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\BioCredProv.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\btpanui.dll	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\bdaplgin.ax	exc.exe
File created	C:\WINDOWS\SysWOW64\advpack.dll	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\apds.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\appmgmts.dll	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\browcli.dll	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\C_1250.NLS	exc.exe
File created	C:\WINDOWS\SysWOW64\C_775.NLS	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\C_ISCII.DLL	exc.exe
File created	C:\WINDOWS\SysWOW64\adsnt.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\amstream.dll	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\api-ms-win-crt-utility-l1-1-0.dll	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\cero.rs	exc.exe
File created	C:\WINDOWS\SysWOW64\clfsw32.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\cscript.exe	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\C_20420.NLS	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\C_20905.NLS	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\amxread.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\api-ms-win-core-processthreads-l1-1-1.dll	10a43ca9131f1575adbc9473bcaa761a.exe
File opened for modification	C:\WINDOWS\SysWOW64\atl100.dll	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\C_21025.NLS	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\C_855.NLS	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\ACCTRES.dll	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\bthudtask.exe	exc.exe
File created	C:\WINDOWS\SysWOW64\cttunesvr.exe	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\cscapi.dll	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\C_861.NLS	exc.exe
File created	C:\WINDOWS\SysWOW64\acledit.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\AzSqlExt.dll	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\catsrvps.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\adtschema.dll	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\api-ms-win-eventing-provider-l1-1-0.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\cscobj.dll	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\bthprops.cpl	exc.exe
File created	C:\WINDOWS\SysWOW64\cfgmgr32.dll	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\cmcfg32.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\cmutil.dll	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\cryptdlg.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\api-ms-win-core-xstate-l2-1-0.dll	10a43ca9131f1575adbc9473bcaa761a.exe
File opened for modification	C:\WINDOWS\SysWOW64\aspnet_counters.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\bitsperf.dll	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\C_1251.NLS	exc.exe
File created	C:\WINDOWS\SysWOW64\C_20949.NLS	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\C_866.NLS	exc.exe
File created	C:\WINDOWS\SysWOW64\autoplay.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\12520850.cpx	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\api-ms-win-crt-runtime-l1-1-0.dll	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\apisetschema.dll	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\AuthFWGP.dll	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\BioCredProv.dll	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\C_1256.NLS	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\SysWOW64\davclnt.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\api-ms-win-crt-runtime-l1-1-0.dll	exc.exe

Drops file in Windows directory 52 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\msdfmap.ini	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\write.exe	exc.exe
File opened for modification	C:\WINDOWS\system.ini	exc.exe
File opened for modification	C:\WINDOWS\win.ini	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\explorer.exe	exc.exe
File created	C:\WINDOWS\twunk_16.exe	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\write.exe	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\twain_32.dll	exc.exe
File opened for modification	C:\WINDOWS\Ultimate.xml	10a43ca9131f1575adbc9473bcaa761a.exe
File opened for modification	C:\WINDOWS\Ultimate.xml	exc.exe
File created	C:\WINDOWS\fveupdate.exe	exc.exe
File created	C:\WINDOWS\HelpPane.exe	exc.exe
File opened for modification	C:\WINDOWS\setuperr.log	10a43ca9131f1575adbc9473bcaa761a.exe
File opened for modification	C:\WINDOWS\Starter.xml	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\twain_32.dll	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\winhlp32.exe	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\HelpPane.exe	10a43ca9131f1575adbc9473bcaa761a.exe
File opened for modification	C:\WINDOWS\setuperr.log	exc.exe
File opened for modification	C:\WINDOWS\Starter.xml	exc.exe
File created	C:\WINDOWS\twunk_16.exe	exc.exe
File opened for modification	C:\WINDOWS\msdfmap.ini	exc.exe
File created	C:\WINDOWS\splwow64.exe	exc.exe
File created	C:\WINDOWS\splwow64.exe	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\bfsvc.exe	exc.exe
File created	C:\WINDOWS\mib.bin	exc.exe
File created	C:\WINDOWS\notepad.exe	exc.exe
File created	C:\WINDOWS\bfsvc.exe	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\twain.dll	exc.exe
File created	C:\WINDOWS\WMSysPr9.prx	exc.exe
File created	C:\WINDOWS\explorer.exe	10a43ca9131f1575adbc9473bcaa761a.exe
File opened for modification	C:\WINDOWS\WindowsUpdate.log	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\winhlp32.exe	exc.exe
File created	C:\WINDOWS\WMSysPr9.prx	10a43ca9131f1575adbc9473bcaa761a.exe
File opened for modification	C:\WINDOWS\DtcInstall.log	exc.exe
File opened for modification	C:\WINDOWS\setupact.log	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\twain.dll	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\twunk_32.exe	10a43ca9131f1575adbc9473bcaa761a.exe
File opened for modification	C:\WINDOWS\win.ini	exc.exe
File created	C:\WINDOWS\mib.bin	10a43ca9131f1575adbc9473bcaa761a.exe
File opened for modification	C:\WINDOWS\PFRO.log	10a43ca9131f1575adbc9473bcaa761a.exe
File opened for modification	C:\WINDOWS\WindowsUpdate.log	exc.exe
File created	C:\WINDOWS\fveupdate.exe	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\notepad.exe	10a43ca9131f1575adbc9473bcaa761a.exe
File opened for modification	C:\WINDOWS\DtcInstall.log	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\twunk_32.exe	exc.exe
File created	C:\WINDOWS\hh.exe	10a43ca9131f1575adbc9473bcaa761a.exe
File opened for modification	C:\WINDOWS\setupact.log	exc.exe
File opened for modification	C:\WINDOWS\system.ini	10a43ca9131f1575adbc9473bcaa761a.exe
File created	C:\WINDOWS\hh.exe	exc.exe
File opened for modification	C:\WINDOWS\PFRO.log	exc.exe
File opened for modification	C:\WINDOWS\TSSysprep.log	exc.exe
File opened for modification	C:\WINDOWS\TSSysprep.log	10a43ca9131f1575adbc9473bcaa761a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 888 wrote to memory of 2184	888	10a43ca9131f1575adbc9473bcaa761a.exe	28
PID 888 wrote to memory of 2184	888	10a43ca9131f1575adbc9473bcaa761a.exe	28
PID 888 wrote to memory of 2184	888	10a43ca9131f1575adbc9473bcaa761a.exe	28
PID 888 wrote to memory of 2184	888	10a43ca9131f1575adbc9473bcaa761a.exe	28

C:\Users\Admin\AppData\Local\Temp\10a43ca9131f1575adbc9473bcaa761a.exe
"C:\Users\Admin\AppData\Local\Temp\10a43ca9131f1575adbc9473bcaa761a.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:888
- C:\exc.exe
  "C:\exc.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:2184
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.freeav.com/
    3⤵
    PID:1684
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1684 CREDAT:275457 /prefetch:2
      4⤵
      PID:2620
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1684 CREDAT:734223 /prefetch:2
      4⤵
      PID:1580
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1684 CREDAT:996370 /prefetch:2
      4⤵
      PID:2080
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.freeav.com/
  2⤵
  PID:1676
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1676 CREDAT:275457 /prefetch:2
    3⤵
    PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\system.ini

Filesize
27KB

MD5
596ee3c2e6ef677d2a2bda8b84941c7e

SHA1
f10958e5e2118023a3d6a441e52c2f4aed57162f

SHA256
0cee20f9941195fe3b2b9611d68d28e9972c666b9d6b439531bb12a8446b7484

SHA512
e7c56de94ce8b38f8356b1fd4c76984dd2061bc76cb2ca500f4280805f6f7221e6a82dc71c7724df12a62b5f9c772685f350a37fa0f7d98edcc8ef3379481e1b

Download Submit
memory/888-275-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/888-9-0x0000000002260000-0x000000000226A000-memory.dmp

Filesize
40KB

Download
memory/888-1-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/888-278-0x0000000002260000-0x000000000226A000-memory.dmp

Filesize
40KB

Download
memory/888-277-0x0000000002260000-0x000000000226A000-memory.dmp

Filesize
40KB

Download
memory/888-618-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/888-2256-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2184-10-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2184-276-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2184-2258-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2184-5538-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download