ad25aee2ec0e371e291dfcf9e53b5d4dee44af5ec6b2a506d6067c1985f3458e

Analysis

max time kernel
200s
max time network
228s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 20:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1bca7fa2cb997fefbdaf7245aa78e039.exe
Size

206KB
MD5

1bca7fa2cb997fefbdaf7245aa78e039
SHA1

f148d54dfebfcd2073750da0d65590abacd2b7ec
SHA256

ad25aee2ec0e371e291dfcf9e53b5d4dee44af5ec6b2a506d6067c1985f3458e
SHA512

af826b6dbf5db1fd7c8ef2a997b39c29950e6ed14c9bdb5dae844163513a90be4cf37e4955086a4f20e10bfb53542d10a53877544730e364f12a381819b2380e
SSDEEP

3072:sgd8Vkdpn6ySznrDWpyrCCzrhThkwOYUpWqX9ogCl+ZVij+an7OSS9iIsLc3:Bd8VmpGXDWOXVThkvY8NrCl+biC9iIs

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1412	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
336	csrss.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2636-0-0x0000000000400000-0x0000000000447000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2636 set thread context of 1412	2636	1bca7fa2cb997fefbdaf7245aa78e039.exe	29

Modifies registry class 3 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{b1284f4e-e5d7-808d-311b-8920c23973db}\u = "117"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{b1284f4e-e5d7-808d-311b-8920c23973db}\cid = "5232910308087604085"	explorer.exe
Key created	\registry\machine\Software\Classes\Interface\{b1284f4e-e5d7-808d-311b-8920c23973db}	explorer.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1412	explorer.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 1412	2636	1bca7fa2cb997fefbdaf7245aa78e039.exe	29
PID 2636 wrote to memory of 1412	2636	1bca7fa2cb997fefbdaf7245aa78e039.exe	29
PID 2636 wrote to memory of 1412	2636	1bca7fa2cb997fefbdaf7245aa78e039.exe	29
PID 2636 wrote to memory of 1412	2636	1bca7fa2cb997fefbdaf7245aa78e039.exe	29
PID 2636 wrote to memory of 1412	2636	1bca7fa2cb997fefbdaf7245aa78e039.exe	29
PID 1412 wrote to memory of 336	1412	explorer.exe	27

C:\Users\Admin\AppData\Local\Temp\1bca7fa2cb997fefbdaf7245aa78e039.exe
"C:\Users\Admin\AppData\Local\Temp\1bca7fa2cb997fefbdaf7245aa78e039.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Windows\explorer.exe
  00000098*
  2⤵
  - Deletes itself
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1412

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.DLL

Filesize
31KB

MD5
adf1ddd89d424e8d0e275cc42747ec81

SHA1
321105503846b4a5f8fd3ccd6d92253c39b3e1ce

SHA256
5611fddc5046fce5bbd4d1c1779df429a217b1f952ec973059f7c67e4dfdd46f

SHA512
3afb78bc1e49c224726ae824a4d36923bc9fedbdbc027576427932d900bbb17a3b536f1b384bc52bd1a1892ff23c5a2453065530fbdc0023392a0d17e7cbc184

Download Submit
\systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}

Filesize
2KB

MD5
9fd598c4e837feb35c9493c65fd9aa6a

SHA1
e0534b6dd0a9c4863e8e8871cd405ce32e036263

SHA256
0df06c0373100e4193ff70cf93da3d6fcbaa8e6ae104d73daa6a5b99fedf31d8

SHA512
b51a8e54626387d60d007cd636b31d730ad7fd58b344a68c1c802bf249b1966087e0aec539127be5fa74b1a69c31de96197fcb952a3a86e700cc408e71002374

Download Submit
memory/336-20-0x0000000000720000-0x000000000072C000-memory.dmp

Filesize
48KB

Download
memory/336-21-0x0000000000720000-0x000000000072C000-memory.dmp

Filesize
48KB

Download
memory/1412-4-0x00000000001F0000-0x0000000000204000-memory.dmp

Filesize
80KB

Download
memory/1412-5-0x00000000000E0000-0x00000000000F2000-memory.dmp

Filesize
72KB

Download
memory/1412-10-0x00000000001F0000-0x0000000000204000-memory.dmp

Filesize
80KB

Download
memory/1412-15-0x00000000001F0000-0x0000000000204000-memory.dmp

Filesize
80KB

Download
memory/2636-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2636-1-0x0000000000230000-0x0000000000249000-memory.dmp

Filesize
100KB

Download
memory/2636-2-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2636-3-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download