3d5f832d20a62ba11f9c5cad7202bdd16e711f13ddb95f37654bf0eb01c300b6

Analysis

max time kernel
3s
max time network
145s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 07:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

12ce865f30cf09fb1695d51e65f4a3b4.exe
Size

460KB
MD5

12ce865f30cf09fb1695d51e65f4a3b4
SHA1

582b66806b08e0b02bf4fc4dd4dfdca200c7cc20
SHA256

3d5f832d20a62ba11f9c5cad7202bdd16e711f13ddb95f37654bf0eb01c300b6
SHA512

5d7a64cb3a0f6cec3603f84d9ce645a3de9eb80bc4de2a8974fcabc8593ba03fa370fd47f15af097e35061eb33ee214b10ca3fa69412080f71392066983a32ca
SSDEEP

12288:WlSt6oIHNOhU5O5TYo4XqTig5GSR9CClDDL:WlSt69HNx6T/5xT

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2864	iBdqphzke5.exe

Loads dropped DLL 2 IoCs

pid	Process
3040	12ce865f30cf09fb1695d51e65f4a3b4.exe
3040	12ce865f30cf09fb1695d51e65f4a3b4.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2560-53-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2560-52-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2560-51-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2560-47-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2560-43-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2560-41-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2496	2560	WerFault.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2576	tasklist.exe
2356	tasklist.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2864	iBdqphzke5.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3040	12ce865f30cf09fb1695d51e65f4a3b4.exe
2864	iBdqphzke5.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2864	3040	12ce865f30cf09fb1695d51e65f4a3b4.exe	21
PID 3040 wrote to memory of 2864	3040	12ce865f30cf09fb1695d51e65f4a3b4.exe	21
PID 3040 wrote to memory of 2864	3040	12ce865f30cf09fb1695d51e65f4a3b4.exe	21
PID 3040 wrote to memory of 2864	3040	12ce865f30cf09fb1695d51e65f4a3b4.exe	21

C:\Users\Admin\AppData\Local\Temp\12ce865f30cf09fb1695d51e65f4a3b4.exe
"C:\Users\Admin\AppData\Local\Temp\12ce865f30cf09fb1695d51e65f4a3b4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\iBdqphzke5.exe
  C:\Users\Admin\iBdqphzke5.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del iBdqphzke5.exe
    3⤵
    PID:2644
- - C:\Users\Admin\teilo.exe
    "C:\Users\Admin\teilo.exe"
    3⤵
    PID:800
- C:\Users\Admin\dstat.exe
  C:\Users\Admin\dstat.exe
  2⤵
  PID:2372
- C:\Users\Admin\astat.exe
  C:\Users\Admin\astat.exe
  2⤵
  PID:2668
- C:\Users\Admin\fstat.exe
  C:\Users\Admin\fstat.exe
  2⤵
  PID:2512
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c tasklist&&del 12ce865f30cf09fb1695d51e65f4a3b4.exe
  2⤵
  PID:1812

C:\Windows\SysWOW64\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 88
1⤵
- Program crash
PID:2496

C:\Users\Admin\astat.exe
"C:\Users\Admin\astat.exe"
1⤵
PID:2560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:1856

C:\Windows\SysWOW64\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\iBdqphzke5.exe

Filesize
244KB

MD5
a4cdb62cf4866a17e742e7e9cc73d237

SHA1
30d94f8e872455ac569949ac4c768d0a0cdfbba7

SHA256
c741d649bf5b72fbe97470820ce994ce29b153baae14af10c3a2a9adc3098b32

SHA512
c4447f95565d3e5dc0ef7712382325280bedf127ac682f85f4043b586afb4188633f2c73277595eb31fe45d992107492f42c82a71f448286a9cb8fac4bfb3671

Download Submit
C:\Users\Admin\iBdqphzke5.exe

Filesize
92KB

MD5
897baeb2a4c8b1423697bd24caaa1f2c

SHA1
c84f1c46d35126781fd1b39e3d0abae18a7a80c0

SHA256
e51e784a6bd2bc356fc852239f2e8e500f064daea5f4da509c2fbfb8c68ea790

SHA512
daf3e842dcf507b7d1d422c181247345ed8460c8569baf5c6f5f4cd32f769ce1057b0380e826ebcbf793c3461020f68c86670fb2154d21e4ddb10b184172fd90

Download Submit
memory/336-134-0x00000000022E0000-0x00000000022F2000-memory.dmp

Filesize
72KB

Download
memory/336-118-0x00000000022E0000-0x00000000022F2000-memory.dmp

Filesize
72KB

Download
memory/336-120-0x00000000022E0000-0x00000000022F2000-memory.dmp

Filesize
72KB

Download
memory/336-119-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/336-129-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/848-147-0x0000000000BE0000-0x0000000000BEB000-memory.dmp

Filesize
44KB

Download
memory/848-149-0x0000000000BE0000-0x0000000000BEB000-memory.dmp

Filesize
44KB

Download
memory/848-146-0x0000000000BD0000-0x0000000000BDB000-memory.dmp

Filesize
44KB

Download
memory/848-142-0x0000000000BD0000-0x0000000000BDB000-memory.dmp

Filesize
44KB

Download
memory/848-138-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

Filesize
32KB

Download
memory/848-137-0x0000000000BD0000-0x0000000000BDB000-memory.dmp

Filesize
44KB

Download
memory/848-159-0x0000000000BE0000-0x0000000000BEB000-memory.dmp

Filesize
44KB

Download
memory/1352-112-0x00000000024B0000-0x00000000024B2000-memory.dmp

Filesize
8KB

Download
memory/1352-102-0x0000000002500000-0x0000000002506000-memory.dmp

Filesize
24KB

Download
memory/1352-106-0x0000000002500000-0x0000000002506000-memory.dmp

Filesize
24KB

Download
memory/1352-110-0x0000000002500000-0x0000000002506000-memory.dmp

Filesize
24KB

Download
memory/2512-79-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2512-80-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2512-93-0x0000000002A40000-0x0000000002A7D000-memory.dmp

Filesize
244KB

Download
memory/2512-96-0x0000000002A40000-0x0000000002A7D000-memory.dmp

Filesize
244KB

Download
memory/2512-95-0x0000000003110000-0x000000000314D000-memory.dmp

Filesize
244KB

Download
memory/2512-94-0x0000000002A40000-0x0000000002A7D000-memory.dmp

Filesize
244KB

Download
memory/2512-91-0x0000000002A40000-0x0000000002A7D000-memory.dmp

Filesize
244KB

Download
memory/2512-86-0x0000000002A40000-0x0000000002A7D000-memory.dmp

Filesize
244KB

Download
memory/2512-126-0x0000000003110000-0x000000000314D000-memory.dmp

Filesize
244KB

Download
memory/2512-125-0x0000000002A40000-0x0000000002A7D000-memory.dmp

Filesize
244KB

Download
memory/2512-124-0x0000000002380000-0x00000000023C6000-memory.dmp

Filesize
280KB

Download
memory/2512-122-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2512-89-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2512-90-0x0000000002A40000-0x0000000002A7D000-memory.dmp

Filesize
244KB

Download
memory/2512-111-0x0000000002A40000-0x0000000002A7D000-memory.dmp

Filesize
244KB

Download
memory/2512-83-0x0000000002A40000-0x0000000002A7D000-memory.dmp

Filesize
244KB

Download
memory/2512-81-0x0000000002380000-0x00000000023C6000-memory.dmp

Filesize
280KB

Download
memory/2512-78-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/2512-101-0x0000000002A40000-0x0000000002A7D000-memory.dmp

Filesize
244KB

Download
memory/2512-100-0x0000000002A40000-0x0000000002A7D000-memory.dmp

Filesize
244KB

Download
memory/2512-98-0x00000000036D0000-0x00000000036D1000-memory.dmp

Filesize
4KB

Download
memory/2512-92-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2512-82-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/2560-39-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2560-41-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2560-43-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2560-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2560-47-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2560-51-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2560-52-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2560-53-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2864-28-0x0000000004010000-0x0000000004ACA000-memory.dmp

Filesize
10.7MB

Download