bdcee4aff241d86bb674ea37bccf2ee9107b9c77bf75a241caad161af9cb8789

Analysis

max time kernel
24s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1269132bab2e13125eb368531b010039.exe
Size

219KB
MD5

1269132bab2e13125eb368531b010039
SHA1

0bf11c5c4b491589d5a80222ff1c2ba054013cd2
SHA256

bdcee4aff241d86bb674ea37bccf2ee9107b9c77bf75a241caad161af9cb8789
SHA512

82ed70558b97dd36f45288d571f096aa456cca5415268c3a5c5385d808c684ccc38bc4f499811a4617621322c045f71224454e30cb0eeece0c3b3a57d3adf01f
SSDEEP

3072:HusMdsG4h2QnZsPm+FFDmVLNW4R6UwUa0I0S7lIPvCdbCNHkCiPxiU16jwKc:HTMdnEl+hFMBWne1SSP6nCi1

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1252	Gjilua.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2668-0-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/2668-2-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/files/0x0006000000023222-12.dat	upx
behavioral2/files/0x0006000000023222-13.dat	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job	1269132bab2e13125eb368531b010039.exe
File opened for modification	C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job	1269132bab2e13125eb368531b010039.exe
File created	C:\Windows\Gjilua.exe	1269132bab2e13125eb368531b010039.exe
File opened for modification	C:\Windows\Gjilua.exe	1269132bab2e13125eb368531b010039.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1608	1252	WerFault.exe	97

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2668	1269132bab2e13125eb368531b010039.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 1252	2668	1269132bab2e13125eb368531b010039.exe	97
PID 2668 wrote to memory of 1252	2668	1269132bab2e13125eb368531b010039.exe	97
PID 2668 wrote to memory of 1252	2668	1269132bab2e13125eb368531b010039.exe	97

C:\Users\Admin\AppData\Local\Temp\1269132bab2e13125eb368531b010039.exe
"C:\Users\Admin\AppData\Local\Temp\1269132bab2e13125eb368531b010039.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\Gjilua.exe
  C:\Windows\Gjilua.exe
  2⤵
  - Executes dropped EXE
  PID:1252
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 928
    3⤵
    - Program crash
    PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1252 -ip 1252
1⤵
PID:3912

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Gjilua.exe

Filesize
17KB

MD5
b66f9c0edb47bb50c1c15aa3e8bd1201

SHA1
809415acd3d1bdce6adfd65eba75160a8176c6c6

SHA256
df04f10730e4aa9d0414be0a0ed4806c0adaf1248da9a14fe5079bdd109a225c

SHA512
95991a3cbe7e521eae51578ca96da5e3b072272a8ff24e53864cb74360297beec1fd7c5795bd487dc6efd3c42cdb6427ed1071b11507f30bb85563aaccf1ca4d

Download Submit
C:\Windows\Gjilua.exe

Filesize
32KB

MD5
ee3450d29237e630d9187edb9da872e5

SHA1
56a0ebc9f93ea09e2090933141e30c81d15518f2

SHA256
c457d94b36ebbd3d28776a309c35124705c5b25350eface6be5022a7a6bbbf31

SHA512
361aebbf985fd69bc44c9f03a1bfb900bca2966928a2d31695aeea07f35d1ef09b9a632b6aae67eabf6679a74793c0ac2f57a16a400179f4ec7f2d81e03ddf2a

Download Submit
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

Filesize
362B

MD5
e9ff8bd043f14a297f1a340d56863fca

SHA1
670f27c136b4d0118b41dccfb24acd26cb84724a

SHA256
93068df7a78ecd5165dc3fb55b3644bf5fafb66ce1cf37190f76aebebd5f8fa7

SHA512
beb0bc19e5629f954592ef8fd32a41e4f10384f5ecb53ed2b1bae9607bb0d494df6399d37b2c58244f7342a3a89d87e22affa157f6072d9d38bccac9557c0401

Download Submit
memory/1252-21-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2668-0-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2668-2-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2668-1-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/2668-5-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2668-9-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2668-13264-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download