046c454f208f3fdda54688f681d65dfdd0251f0e4343414f5b6a7dd0ffd15345

Analysis

max time kernel
151s
max time network
141s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20f2bb9ca69ee6922cb0c14b5b97179d.exe
Size

12.8MB
MD5

20f2bb9ca69ee6922cb0c14b5b97179d
SHA1

c7bd94f3c46eb703ef7b515cdbfdfcac7ee35879
SHA256

046c454f208f3fdda54688f681d65dfdd0251f0e4343414f5b6a7dd0ffd15345
SHA512

917c38497705f938369f93900fcb6fbdd652c96c7f57f991fa6f862bd2f304cbc4e2630d21e8b7ebf72213ca31e690ed6372a69f4586034c29927b79665b676a
SSDEEP

12288:PHkVE/oSGa6G8vs65rx65rSQDpiCaAmnrRSoWzKyM58DQDpiCaAmnrRSoWzKyM5Q:cVXlv7mk

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2140	sttuvvv.exe

Loads dropped DLL 2 IoCs

pid	Process
1512	20f2bb9ca69ee6922cb0c14b5b97179d.exe
1512	20f2bb9ca69ee6922cb0c14b5b97179d.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1512-0-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/files/0x0006000000016577-12.dat	upx
behavioral1/files/0x0006000000016577-37.dat	upx
behavioral1/files/0x0006000000016577-42.dat	upx
behavioral1/files/0x000100000000002a-49.dat	upx
behavioral1/memory/2140-43-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1512-41-0x00000000021F0000-0x000000000225D000-memory.dmp	upx
behavioral1/files/0x0006000000016577-35.dat	upx
behavioral1/memory/2140-66-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2576-64-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1512-67-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1512-68-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1512-69-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1512-71-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1512-72-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1512-73-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1512-74-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1512-75-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1512-76-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1512-77-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1512-78-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1512-79-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1512-80-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1512-81-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1512-82-0x0000000000400000-0x000000000046D000-memory.dmp	upx

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Help\upbiran.ini	20f2bb9ca69ee6922cb0c14b5b97179d.exe
File created	C:\Windows\SysWOW64\Help\1.kmnpqrs	20f2bb9ca69ee6922cb0c14b5b97179d.exe
File created	C:\Windows\SysWOW64\Help\2.kmnpqrs	20f2bb9ca69ee6922cb0c14b5b97179d.exe
File created	C:\Windows\SysWOW64\kmnpqrs\kmnpqrs\sttuvvv\m.ini	20f2bb9ca69ee6922cb0c14b5b97179d.exe
File created	C:\Windows\SysWOW64\kmnpqrs\kmnpqrs\sttuvvv\sttuvvv.exe	20f2bb9ca69ee6922cb0c14b5b97179d.exe
File opened for modification	C:\Windows\SysWOW64\kmnpqrs\kmnpqrs\sttuvvv\sttuvvv.exe	20f2bb9ca69ee6922cb0c14b5b97179d.exe
File created	C:\Windows\system32\spool\DRIVERS\W32X86\3\mnpqrsk\mnpqrsk.exe	20f2bb9ca69ee6922cb0c14b5b97179d.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2140 set thread context of 2576	2140	sttuvvv.exe	29

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Help\kmnpqrs.hlp	20f2bb9ca69ee6922cb0c14b5b97179d.exe
File created	C:\Windows\2.ini	20f2bb9ca69ee6922cb0c14b5b97179d.exe
File opened for modification	C:\Windows\	20f2bb9ca69ee6922cb0c14b5b97179d.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1512	20f2bb9ca69ee6922cb0c14b5b97179d.exe
1512	20f2bb9ca69ee6922cb0c14b5b97179d.exe
1512	20f2bb9ca69ee6922cb0c14b5b97179d.exe
1512	20f2bb9ca69ee6922cb0c14b5b97179d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1512	20f2bb9ca69ee6922cb0c14b5b97179d.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 2140	1512	20f2bb9ca69ee6922cb0c14b5b97179d.exe	28
PID 1512 wrote to memory of 2140	1512	20f2bb9ca69ee6922cb0c14b5b97179d.exe	28
PID 1512 wrote to memory of 2140	1512	20f2bb9ca69ee6922cb0c14b5b97179d.exe	28
PID 1512 wrote to memory of 2140	1512	20f2bb9ca69ee6922cb0c14b5b97179d.exe	28
PID 2140 wrote to memory of 2576	2140	sttuvvv.exe	29
PID 2140 wrote to memory of 2576	2140	sttuvvv.exe	29
PID 2140 wrote to memory of 2576	2140	sttuvvv.exe	29
PID 2140 wrote to memory of 2576	2140	sttuvvv.exe	29
PID 2140 wrote to memory of 2576	2140	sttuvvv.exe	29
PID 2140 wrote to memory of 2576	2140	sttuvvv.exe	29

C:\Users\Admin\AppData\Local\Temp\20f2bb9ca69ee6922cb0c14b5b97179d.exe
"C:\Users\Admin\AppData\Local\Temp\20f2bb9ca69ee6922cb0c14b5b97179d.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\SysWOW64\kmnpqrs\kmnpqrs\sttuvvv\sttuvvv.exe
  C:\Windows\system32\kmnpqrs\kmnpqrs\sttuvvv\sttuvvv.exe -close
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe -NetworkService
    3⤵
    PID:2576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Help\1.kmnpqrs

Filesize
26B

MD5
2f2e108b9eebd82934f0fe0e3292cf20

SHA1
1198ee56763ba57d8d738acf2a3528d078206c47

SHA256
03e3e778d9d0b1239bf989700dc1c1f41116c40483aea97b881c5a27d4224965

SHA512
2f7618e69f9d07acf051107e34a9d54ae0aab2f8f3471da5f65b95a2a80d26b776c407bd1555392771ef17ee59cf7932b65009f25d958a149c282fa4b70418ff

Download Submit
C:\Windows\SysWOW64\Help\2.kmnpqrs

Filesize
18B

MD5
f8920b04d991b33c1c4a1933a56d0c0b

SHA1
3e3e576411373979a9bbe1d6c177d0e31605a97a

SHA256
22b9b7796908800e0df94d2a8ad945df95922a46e93e8302c52fbfebf5502885

SHA512
e29911e2a8c13ad6b524ed0af5d38d0152995cb85275959e30c16e3d61787ca21d0c3acd0e732558254d7cbf3fe273df907de93814f8bbdbf2e2e5cbfbfcabe9

Download Submit
C:\Windows\SysWOW64\Help\upbiran.ini

Filesize
18B

MD5
ce8c9ab96513b06418737dd32d49a5e6

SHA1
27554c6ad0381587a0827ee9d0bb5584ab382759

SHA256
2f5c4e9df738d3469b5aefdacea83079225e0386dbd113f74742e50b6a98d449

SHA512
5b62ece0c9e3cbabe75c66d2348fd32fd295e03a8a05cc6316435fcef7c7f801ea55f01b46d6034d40c8c0748c7d1a47287e00392bb4c4907b64748fce53fae4

Download Submit
C:\Windows\SysWOW64\kmnpqrs\kmnpqrs\sttuvvv\m.ini

Filesize
128B

MD5
380318719984377bcfc049472546040f

SHA1
d71e8909cb95b386fd61a0333ddc380c8af2b6a8

SHA256
2b4bd7722270ba5bf30b21db0fb9de2af87f3f0e0927fc7c59e24051c8b11da0

SHA512
f5cc9396f56a43e03ac01b72fddd7b59416e1d986ca7ae5e3f43fb0e2187e07b4578000059ac90621f04e56958dcdea87343fbcca304b9d786699d5ba2d0ad34

Download Submit
C:\Windows\SysWOW64\kmnpqrs\kmnpqrs\sttuvvv\sttuvvv.exe

Filesize
257KB

MD5
dca0c33fb9b3c5cf39b45b92a24c7bff

SHA1
3464ab5a37877e75b75dc4ede2432f724af2f069

SHA256
1f9d917c5ee94f2f42b2ef781b4e8acc8fe45ef2f88b1d1bf35a127a8540eeda

SHA512
23f87ad6b5d1cb2f51c477c508f6233d4c7d3bc100b4e77d36d5561df1612bbf9f416896e4515596afe0bc41ae840a6eb3d8dfb8c5371104e6bee73928f85c8d

Download Submit
C:\Windows\SysWOW64\kmnpqrs\kmnpqrs\sttuvvv\sttuvvv.exe

Filesize
28KB

MD5
348508b6fba4460df08a6f3cdeb23b7e

SHA1
e3182d5dd05d604c5411a3581a707cb7ef5e8dc2

SHA256
b5e97982dc5451ab49f09f81345b75b0bcd6e96b2bd988233f1c3d1656801736

SHA512
b29bb3df0cdfd33f851801b621c3d37961e613762bdee264955af3109f84519f71cfa799f971796e9871c573a09688c68a8d7e6c2e4f4c1d08813da74731512b

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\mnpqrsk\mnpqrsk000.IMD

Filesize
1018KB

MD5
056abf1d3ec428dcc823d5d36b234f5a

SHA1
8d443e3e36a01a07d93f7f36755d77068640be3c

SHA256
6a59952ccd060ed611d5facdfe1a8d0700767f19596baccd492d26c40f4eae1a

SHA512
89c83a299f96d0352d5b00bbfc8f92547e22cbaa1a32b2b5264d355af6da08ed2b686e846ab3edf80b76c8769c78f56d08e9e329164a98ea5d3784b8547d23c1

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\mnpqrsk\mnpqrsk001.IMD

Filesize
15KB

MD5
27a94f9d0896df747e900e267bcb2361

SHA1
3e64c827863e3108e95f4821b4bc8cf2895768e1

SHA256
6343e363e0104b4b899d9f5c0ac38705c5808db5ae41df346bb66392b5d9d4b0

SHA512
c550c55f8ce86fc74fc4d7f8649e9572cc511c55bbeeef7d7ce071e971f081bb45ab68d2a5983e15488483ef2f68aaf14e6c2fea3ff2d032cc3e064d2861ebde

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\mnpqrsk\mnpqrsk002.IMD

Filesize
1.0MB

MD5
7b46e450bf5647db5a0d67f60ff771e8

SHA1
6d63d2b0e3edcbe99f65623f658bab5283cf7401

SHA256
930e6303d4a77f9de5a15cef9e8830907153c570b9f1fe669591df0a3c834855

SHA512
d443d8c5645f97bf7bde6ef82b525f6d6565844d2dcfc33749cc1135a86e5d527f1811d5ebf7777a092131ae3b571d1f238f4506b46ef6e0b4c6cc391688beff

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\mnpqrsk\mnpqrsk003.IMD

Filesize
646KB

MD5
f8b4fa9279836072cc4fb24f726e385e

SHA1
f4cf268a496131794522a4cb2da88aed1149a255

SHA256
b960415150f62aab70bdb1bcd9b0733a223262747467cc763d2095c6a4fd3feb

SHA512
f470f031ebc0d5e1b99ed6e8b3041d46a975a00f918efbfc441b91c075d3f164286a6e41f8c8db4bf8258450fc59b36296b8e3f08efeab2a6e7ee6f6044e7193

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\mnpqrsk\mnpqrsk004.IMD

Filesize
998KB

MD5
55a81004b42b1015808c8e527d47e97a

SHA1
00701501737229f59ab0429544f594484c3f7a0e

SHA256
3c04c9acdbcfac9c21d1347461678296ab0408f845a825ad8b4e1b668414f938

SHA512
0d650d2dcedfe1db4dbe305917f215b94699722231d02159eb92b19f8944a9890fec0fe393fef370f4615437f2132481f4b49dc18a41cfafeedb9d7b667932ae

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\mnpqrsk\mnpqrsk005.IMD

Filesize
674KB

MD5
9f37f35786d10bcb612f141acb88670c

SHA1
0b81541dd469af1e3eb5fe0068112a7dcb3c00e5

SHA256
ddfa808624ffa97600813486b47ca045f8f87d8429d8a3d84749a7618c0db864

SHA512
b0480dc51f54d6d6893aad4c8e1349f37e9b187f451479de82eda7f12164ca27baa7c1741091af8a28064542771d64b3d957b362300af775ed006309d78262db

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\mnpqrsk\mnpqrsk006.IMD

Filesize
838KB

MD5
6c1e616112a894f21f2f853f10b18691

SHA1
aa227ff38657b5ac79a11d17e5fc18be23648891

SHA256
4a2d6252a027ef7437e204b4595fc1120d54564528bcad94575d6cdd17e2c281

SHA512
ed99623a74b5d813bdc53568ba7c867a2e952c82a4ff4a40667712b1dffda14adbc3408bdb333e1cccc75b3e92b9648f783e81a95ad33d063edf4f3d7677ede7

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\mnpqrsk\mnpqrsk007.IMD

Filesize
881KB

MD5
79c583cc652dd2e01563c7ed4083f730

SHA1
ac8b1451cea13ea814bc94d1fb9e79ee3bced20d

SHA256
4087e760662e7f5ea922978fdd75367584d6e0c1252c445707a83b04398471d5

SHA512
9f29cacc7a67ec0e20fac516656d2d86f6cb3b6d9f44f88abd5dd11bfb551ee8471d5e79f3cebeb4fffed3e03ef09ccf7ac46036a39fbff5574dc0f04d719926

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\mnpqrsk\mnpqrsk008.IMD

Filesize
812KB

MD5
5cc8f745926171bbcc52452a3abc4dc9

SHA1
85534828eb61915c6f090f189a9d3d97437aff97

SHA256
2e202b6d73d487d4f07cae6579ec7f9b2bd96e174abf5c783f0a6536b3b2d1be

SHA512
807c47925b3cab510dedc8dc889d89e2914446a03824ebad004b6afc22c4e95726036d4ddd9f0029530e06084b70e8901318baba70c07d6f726e28f9d4996f9d

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\mnpqrsk\mnpqrsk009.IMD

Filesize
512KB

MD5
ecb052aca13a244dbf3b2886369423a0

SHA1
57dd96364f618c210a29c0ae45b4396a957f1610

SHA256
6080d662e9fd0cf5faa1cb6ad9310ddde9b5795008d9b9d2e536d2ce9ba5752d

SHA512
c1b3c386317af4d8f4fe4a1c1b70acee63a0f4c470f6431838ca92f8467c7085980c5e650a1fa5ca5a225347abdd20831c83cd7a600ba32d8d734e7afbcb9f4e

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\mnpqrsk\mnpqrsk010.IMD

Filesize
7B

MD5
c58c4a9d10c3c150f69967b5bb307f16

SHA1
b1eaf7d8cc14cd911aa28a28b8aa284a1f284854

SHA256
2dae8adad1b39a0f19625bd9c7a8f36e68dfa26b0933b8a4cf583618ce7106dc

SHA512
5f18b2a4504d862c0c1f417bc387e4776fb64807e7786f1885368bcc87fd3dbad23a69d078db13ae144cf3fc01a5a047941a76acb3f91c2f1d28f8cfffac2956

Download Submit
\Windows\SysWOW64\kmnpqrs\kmnpqrs\sttuvvv\sttuvvv.exe

Filesize
1.3MB

MD5
88e9e37498191ba5740d96da259448eb

SHA1
fa447e4f1eb3fe19dfa832467a75c14300a8a132

SHA256
63b776c4e7cb5db002ff0d6c11294a42d547bbe2970f58d507eda47605b35abe

SHA512
b4980b8da8c469c0d0b27c3c36eba444719787604349d0019e75b12cebb61b4c2bd103f7f7c2a807c61f616eb4cf9b248939162a729e0b2184380cfe748ed1db

Download Submit
\Windows\SysWOW64\kmnpqrs\kmnpqrs\sttuvvv\sttuvvv.exe

Filesize
73KB

MD5
1e18ab9732ea7f53d1fd71fbccdb1b34

SHA1
ec4b0f235228ead162a696cf2c02a4f916d4fe5b

SHA256
3cb1b44e1b86540959380589415e3f2f4175187b792bc1237e8d75ee11f79a7f

SHA512
f1a8af3b5e2b0a7199e489ff8bf33bc87bae08d0eb9f63a6979ed1717c18b89a0fb6f94bc2ae7496cfc3666f5c539d7c7c0532492a41c7d16e8f54b7a53283cc

Download Submit
memory/1512-68-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1512-75-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1512-41-0x00000000021F0000-0x000000000225D000-memory.dmp

Filesize
436KB

Download
memory/1512-82-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1512-81-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1512-80-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1512-79-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1512-78-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1512-67-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1512-44-0x00000000021F0000-0x000000000225D000-memory.dmp

Filesize
436KB

Download
memory/1512-69-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1512-70-0x00000000021F0000-0x000000000225D000-memory.dmp

Filesize
436KB

Download
memory/1512-71-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1512-72-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1512-73-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1512-74-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1512-0-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1512-76-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1512-77-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2140-66-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2140-43-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2576-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2576-64-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download