d9a9ed77f9b7b391bdeddcb96a0e65c3acb089edb6bddfe9e79ea104914053a3

Analysis

max time kernel
180s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c742b58546b9f6fb858d46e480e7073.exe
Size

366KB
MD5

1c742b58546b9f6fb858d46e480e7073
SHA1

400b0d2e3a1f6385a6c071b28d0c2c5a3ee90576
SHA256

d9a9ed77f9b7b391bdeddcb96a0e65c3acb089edb6bddfe9e79ea104914053a3
SHA512

6b9cfe5dafe41439b6d22b7ceefca033af04b6589785b11cfff29d8ce4945f47e6894628665fd5f2b1495eea004e9a17f1fac3b99268e27a5bf922274b7a7c86
SSDEEP

6144:T8f5iMeaeRKisc9HMKnK9NG1KKPyqXon9qdpPudbgz++en/HCIUYWICWBP:+iMsnF9Hy9KPyqXk9qdgdbgz++e/HOdq

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3488	cO28269HjNkG28269.exe

Executes dropped EXE 1 IoCs

pid	Process
3488	cO28269HjNkG28269.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4996-6-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral2/memory/4996-13-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral2/memory/3488-19-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral2/memory/3488-22-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral2/memory/3488-26-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral2/memory/3488-29-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral2/memory/3488-32-0x0000000000400000-0x00000000004C1000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cO28269HjNkG28269 = "C:\\ProgramData\\cO28269HjNkG28269\\cO28269HjNkG28269.exe"	cO28269HjNkG28269.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4996	1c742b58546b9f6fb858d46e480e7073.exe
4996	1c742b58546b9f6fb858d46e480e7073.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4996	1c742b58546b9f6fb858d46e480e7073.exe
Token: SeDebugPrivilege	3488	cO28269HjNkG28269.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3488	cO28269HjNkG28269.exe
3488	cO28269HjNkG28269.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 3488	4996	1c742b58546b9f6fb858d46e480e7073.exe	93
PID 4996 wrote to memory of 3488	4996	1c742b58546b9f6fb858d46e480e7073.exe	93
PID 4996 wrote to memory of 3488	4996	1c742b58546b9f6fb858d46e480e7073.exe	93

C:\Users\Admin\AppData\Local\Temp\1c742b58546b9f6fb858d46e480e7073.exe
"C:\Users\Admin\AppData\Local\Temp\1c742b58546b9f6fb858d46e480e7073.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996
- C:\ProgramData\cO28269HjNkG28269\cO28269HjNkG28269.exe
  "C:\ProgramData\cO28269HjNkG28269\cO28269HjNkG28269.exe" "C:\Users\Admin\AppData\Local\Temp\1c742b58546b9f6fb858d46e480e7073.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cO28269HjNkG28269\cO28269HjNkG28269.exe

Filesize
149KB

MD5
cb6479236bf9630a725b6a7e8f2aac7a

SHA1
3e3ebe4d742ce3f75f4b155d63bef2eb21b1a2fc

SHA256
6816caed55a892afb8af71eaaebfcfa6f3484faea810b53e828729073f5b1a74

SHA512
9977ddcf1c009287492f5f20f91e43581879308e0e23b5b71e2ef69150438d04ee6df1f4fea5940d3b0fdc9142c0950977881d733c864306d70045e01ee39e3b

Download Submit
C:\ProgramData\cO28269HjNkG28269\cO28269HjNkG28269.exe

Filesize
171KB

MD5
22fbcdf0e0c8f87ba883d4145888262c

SHA1
57038c85534536e1654fb4f44aa8a06422363696

SHA256
7061ed4736fb69de57ff63a84701f8a031812f0773aa30e0e6fb3ba2e0c809c6

SHA512
c13ad16fc91fda8ae38c4b33f6903b41656a4159bb98a5991dde72988d486b620fb6806862f224dcfebab4e41af0804a98ac0f1840be2755cc138245ce540c8b

Download Submit
memory/3488-19-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/3488-22-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/3488-26-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/3488-29-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/3488-32-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4996-0-0x0000000002C50000-0x0000000002C52000-memory.dmp

Filesize
8KB

Download
memory/4996-6-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4996-13-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download