90e66a2abce2a534f5f890fe0c77643568308d6e9e27ac00a2248c6b492f3f95

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19045b2baf33f91c99da4ea9a7a409d4.exe
Size

10KB
MD5

19045b2baf33f91c99da4ea9a7a409d4
SHA1

fb14ca6fea7aa049402e9f144cf974d643beaeaf
SHA256

90e66a2abce2a534f5f890fe0c77643568308d6e9e27ac00a2248c6b492f3f95
SHA512

064e7191cf091cd8d31a7dc82c59feb9452b7835d270f2e981b272bff07224ad9b0456c00bfe510866e771e95eba708949cfb5f5feeb3e42a6e206c4f81268b5
SSDEEP

192:RyMqv+F7pQtH5dWVJLD9popPzvKx1jRN6TDzi/6DGLdtY/cLbf+OHTTFZ:Idg7pQtHDYLD0p2n+DO/I6Y4bjzr

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Deletes itself 1 IoCs

pid	Process
2652	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1632	comboausk.exe

Loads dropped DLL 2 IoCs

pid	Process
1052	19045b2baf33f91c99da4ea9a7a409d4.exe
1052	19045b2baf33f91c99da4ea9a7a409d4.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1052-0-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/files/0x00080000000122c4-3.dat	upx
behavioral1/memory/1052-18-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1632-20-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\comboaus.dll	19045b2baf33f91c99da4ea9a7a409d4.exe
File created	C:\Windows\SysWOW64\comboausk.exe	19045b2baf33f91c99da4ea9a7a409d4.exe
File opened for modification	C:\Windows\SysWOW64\comboausk.exe	19045b2baf33f91c99da4ea9a7a409d4.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1052	19045b2baf33f91c99da4ea9a7a409d4.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 1632	1052	19045b2baf33f91c99da4ea9a7a409d4.exe	28
PID 1052 wrote to memory of 1632	1052	19045b2baf33f91c99da4ea9a7a409d4.exe	28
PID 1052 wrote to memory of 1632	1052	19045b2baf33f91c99da4ea9a7a409d4.exe	28
PID 1052 wrote to memory of 1632	1052	19045b2baf33f91c99da4ea9a7a409d4.exe	28
PID 1052 wrote to memory of 2652	1052	19045b2baf33f91c99da4ea9a7a409d4.exe	29
PID 1052 wrote to memory of 2652	1052	19045b2baf33f91c99da4ea9a7a409d4.exe	29
PID 1052 wrote to memory of 2652	1052	19045b2baf33f91c99da4ea9a7a409d4.exe	29
PID 1052 wrote to memory of 2652	1052	19045b2baf33f91c99da4ea9a7a409d4.exe	29

C:\Users\Admin\AppData\Local\Temp\19045b2baf33f91c99da4ea9a7a409d4.exe
"C:\Users\Admin\AppData\Local\Temp\19045b2baf33f91c99da4ea9a7a409d4.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\SysWOW64\comboausk.exe
  C:\Windows\system32\comboausk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\19045b2baf33f91c99da4ea9a7a409d4.exe.bat
  2⤵
  - Deletes itself
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\19045b2baf33f91c99da4ea9a7a409d4.exe.bat

Filesize
182B

MD5
31c8e01563a5e3ea7f0d0aa7d77402ca

SHA1
7b31b8f7ea4041eea25688f68d6742914f3b7e36

SHA256
c202974b54e334dfd7872a739731fc1cf40e24a5bed3251608aa23e18e6ca2cf

SHA512
74d2184e9d30d674c16fe03d2b2f0f81820dea2987748388a7cd0a673747526163a5d98d63a8362795f8a6267e516971f93f3ad31b1f31be878fa65a7eb88d84

Download Submit
\Windows\SysWOW64\comboausk.exe

Filesize
10KB

MD5
19045b2baf33f91c99da4ea9a7a409d4

SHA1
fb14ca6fea7aa049402e9f144cf974d643beaeaf

SHA256
90e66a2abce2a534f5f890fe0c77643568308d6e9e27ac00a2248c6b492f3f95

SHA512
064e7191cf091cd8d31a7dc82c59feb9452b7835d270f2e981b272bff07224ad9b0456c00bfe510866e771e95eba708949cfb5f5feeb3e42a6e206c4f81268b5

Download Submit
memory/1052-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1052-8-0x0000000000030000-0x000000000003E000-memory.dmp

Filesize
56KB

Download
memory/1052-18-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1632-20-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download