046c454f208f3fdda54688f681d65dfdd0251f0e4343414f5b6a7dd0ffd15345

Analysis

max time kernel
157s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20f2bb9ca69ee6922cb0c14b5b97179d.exe
Size

12.8MB
MD5

20f2bb9ca69ee6922cb0c14b5b97179d
SHA1

c7bd94f3c46eb703ef7b515cdbfdfcac7ee35879
SHA256

046c454f208f3fdda54688f681d65dfdd0251f0e4343414f5b6a7dd0ffd15345
SHA512

917c38497705f938369f93900fcb6fbdd652c96c7f57f991fa6f862bd2f304cbc4e2630d21e8b7ebf72213ca31e690ed6372a69f4586034c29927b79665b676a
SSDEEP

12288:PHkVE/oSGa6G8vs65rx65rSQDpiCaAmnrRSoWzKyM58DQDpiCaAmnrRSoWzKyM5Q:cVXlv7mk

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1420	suxaceg.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3268-0-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/files/0x0006000000023204-13.dat	upx
behavioral2/files/0x0006000000023204-37.dat	upx
behavioral2/files/0x0006000000023204-38.dat	upx
behavioral2/files/0x000100000000002e-43.dat	upx
behavioral2/memory/1420-55-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/5044-54-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3268-56-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3268-58-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3268-59-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3268-60-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3268-61-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3268-62-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3268-63-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3268-64-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3268-65-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3268-66-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3268-67-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3268-68-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3268-69-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3268-70-0x0000000000400000-0x000000000046D000-memory.dmp	upx

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Help\upbiran.ini	20f2bb9ca69ee6922cb0c14b5b97179d.exe
File created	C:\Windows\SysWOW64\Help\1.tfmsybd	20f2bb9ca69ee6922cb0c14b5b97179d.exe
File created	C:\Windows\SysWOW64\Help\2.tfmsybd	20f2bb9ca69ee6922cb0c14b5b97179d.exe
File created	C:\Windows\SysWOW64\tfmsybd\tfmsybd\npsuwab\m.ini	20f2bb9ca69ee6922cb0c14b5b97179d.exe
File created	C:\Windows\SysWOW64\tfmsybd\tfmsybd\npsuwab\suxaceg.exe	20f2bb9ca69ee6922cb0c14b5b97179d.exe
File opened for modification	C:\Windows\SysWOW64\tfmsybd\tfmsybd\npsuwab\suxaceg.exe	20f2bb9ca69ee6922cb0c14b5b97179d.exe
File created	C:\Windows\system32\spool\DRIVERS\W32X86\3\fmsybdt\fmsybdt.exe	20f2bb9ca69ee6922cb0c14b5b97179d.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1420 set thread context of 5044	1420	suxaceg.exe	92

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\2.ini	20f2bb9ca69ee6922cb0c14b5b97179d.exe
File opened for modification	C:\Windows\	20f2bb9ca69ee6922cb0c14b5b97179d.exe
File created	C:\Windows\Help\tfmsybd.hlp	20f2bb9ca69ee6922cb0c14b5b97179d.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4784	5044	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3268	20f2bb9ca69ee6922cb0c14b5b97179d.exe
3268	20f2bb9ca69ee6922cb0c14b5b97179d.exe
3268	20f2bb9ca69ee6922cb0c14b5b97179d.exe
3268	20f2bb9ca69ee6922cb0c14b5b97179d.exe
3268	20f2bb9ca69ee6922cb0c14b5b97179d.exe
3268	20f2bb9ca69ee6922cb0c14b5b97179d.exe
3268	20f2bb9ca69ee6922cb0c14b5b97179d.exe
3268	20f2bb9ca69ee6922cb0c14b5b97179d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3268	20f2bb9ca69ee6922cb0c14b5b97179d.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3268 wrote to memory of 1420	3268	20f2bb9ca69ee6922cb0c14b5b97179d.exe	91
PID 3268 wrote to memory of 1420	3268	20f2bb9ca69ee6922cb0c14b5b97179d.exe	91
PID 3268 wrote to memory of 1420	3268	20f2bb9ca69ee6922cb0c14b5b97179d.exe	91
PID 1420 wrote to memory of 5044	1420	suxaceg.exe	92
PID 1420 wrote to memory of 5044	1420	suxaceg.exe	92
PID 1420 wrote to memory of 5044	1420	suxaceg.exe	92
PID 1420 wrote to memory of 5044	1420	suxaceg.exe	92
PID 1420 wrote to memory of 5044	1420	suxaceg.exe	92

C:\Users\Admin\AppData\Local\Temp\20f2bb9ca69ee6922cb0c14b5b97179d.exe
"C:\Users\Admin\AppData\Local\Temp\20f2bb9ca69ee6922cb0c14b5b97179d.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3268
- C:\Windows\SysWOW64\tfmsybd\tfmsybd\npsuwab\suxaceg.exe
  C:\Windows\system32\tfmsybd\tfmsybd\npsuwab\suxaceg.exe -close
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe -NetworkService
    3⤵
    PID:5044
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 12
      4⤵
      Program crash
      PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5044 -ip 5044
1⤵
PID:3304

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Help\1.tfmsybd

Filesize
26B

MD5
c3360b3ab9386f9d09f4c19952818516

SHA1
3e1816d67544ac6e40e682e8c5ea80b3df0aa7ad

SHA256
78707f42d5fc22bc2fcaed9e619c8d60439b689ecd4a99031e6aad5839bbf443

SHA512
6450301de81a838fc0e3239eb607f9e318371c19fbd8779d665e8ff119ec7347ea2db9630a7371dd74f1479d14b218ee35bd176e902a736eb7f60230cf7c1871

Download Submit
C:\Windows\SysWOW64\Help\2.tfmsybd

Filesize
18B

MD5
791b22801c7731449367e8161880bb15

SHA1
3f87f3374013acc32b480de649f7b1f9905756e9

SHA256
7e971e5ae5ccf970122e236f7ad9cbc9e71c00cf0e03f9bb5f45908349d9e0c5

SHA512
99eaf649ca539fe6ae7dd5661ec872a1278ba49b82da8755fc694ed2861b12f9ca727136feb8f37621831deb322fafd04a117088236abbac48ea1084c5a902f0

Download Submit
C:\Windows\SysWOW64\Help\upbiran.ini

Filesize
18B

MD5
43211921b0b9edc68ae6740b62f23409

SHA1
7549398afd9f5a49a5a88ffcce03d5792642644b

SHA256
ffd46cdd9cd657bb27d37d2807717982b005d64d3acbff12d5c6e8f9b58d008b

SHA512
9e4f60ab1b91dd10c90ebd5d4c13e3316c29fb6ca7081be5bc44021e575caabafb5d8a4ff5bd6b916bfb2288a22896640ae02881794e50e2a38321a2fd75e3ed

Download Submit
C:\Windows\SysWOW64\tfmsybd\tfmsybd\npsuwab\m.ini

Filesize
128B

MD5
0cc8efae6047d09d5d6b6dfed6c7dc0b

SHA1
ba35aacfb0f3100ba87eeb9cb436245c3338067c

SHA256
6e1c5d59f5fe5c7ee23aa0ed8ea8638ed61dd77ae9c2b685f0f122502c79dfa6

SHA512
c20fc05b7028fd653be1f8f4f1e6d676f4a4f8be39d9e67486b9baeca1268d2a7e6c8451e99fe064a446fdf36b33b8088d8aada8faffc409dd58aaea3ddf469f

Download Submit
C:\Windows\SysWOW64\tfmsybd\tfmsybd\npsuwab\suxaceg.exe

Filesize
68KB

MD5
031b77088ba56ac40bf5a9277db4dc3c

SHA1
3e9c1269886db89fac88601c8d07e23a9c692890

SHA256
f1ea8be6d01e954e5fbc31ddead7c9e8dddd6bb5aa9481b90955df0d66194f84

SHA512
bb2f682e87b67881bab0563449f3384f6721d762fdb0716e63fe536b77eb02ce4223d1eb98aaf2bc0037e605cdd9ea6a3619b2f2460c42e21fb9bd4b042fbb89

Download Submit
C:\Windows\SysWOW64\tfmsybd\tfmsybd\npsuwab\suxaceg.exe

Filesize
535KB

MD5
09e6cc40b500b5f7e18d8fe05907e19e

SHA1
6b86a6899bec297b7196a4cdc9670de2b9868a55

SHA256
b313b0b88ece65ed646dd1e7765d44cc5aa6acf3a8955db769233e6588b5fee3

SHA512
751d9aa4b78d9b594771c94fa993304cca2dbc427967b95b9aef783660ea78b7b44905597282cf7b228693b8a06c8fbd66681019f7f460676662b6437dc3c464

Download Submit
C:\Windows\SysWOW64\tfmsybd\tfmsybd\npsuwab\suxaceg.exe

Filesize
384KB

MD5
0e136f702e5a79ddb62d3b2688db745d

SHA1
aa8775797b1fd163dcdb04420a6e14228935c549

SHA256
6e3f71475f1d186aea986796679e1641a0008a96bf6d317ec59ce19001dca75e

SHA512
881b24edd3f8ee3709af7b373e53ae3c38629469b95aa34b0e4861a656c89c2a1da297eeea24409b80a161c62baa85ff2664e1562eb6adee9b28dadf49afa43b

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\fmsybdt\fmsybdt000.IMD

Filesize
411KB

MD5
81aec5975cd02073d49912b2841332da

SHA1
2aa7b6b6057315dbc93e5ec93d0d8a1a15904612

SHA256
4c42dcf2e3c2bc0490f180388ed854de2989fd2aa90f5608f396611505e781bf

SHA512
ee0325dcb010ca73cb5396a5e083169f7edf50d361a7bd64eb2d23458619c81aeaefad8c13513e5e845d6d5d0adf168bee70ebab769c7e96ca397aba48dff2e1

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\fmsybdt\fmsybdt001.IMD

Filesize
194KB

MD5
6cee3563301329c5ff1b4012585cf9c4

SHA1
a9c0801cb5b683d5d69a962112683540002e5806

SHA256
77069bb5b10337e730aa1293f49bbbe7eb4fe165f98497f34ce6cc132ebbc30c

SHA512
4f5c4bd0bb48ee102c2ee096fbbdf0ab3687c82f828528240fb21a8f2fedd8dfd4085f821adb0c618ee9b049fac4bca9c9f9771732e7fc2e407d0e47ee032cac

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\fmsybdt\fmsybdt002.IMD

Filesize
314KB

MD5
728aec3999bb3737e60721251284e8fd

SHA1
b1b57e9a97903c07a300e1b0802d59d73278ae82

SHA256
2a359aaeb50bb496fe253ad9bca8dc1831888105a5934b65b6a00a8a0ef128d4

SHA512
af24ffb94d32f2dc5114d06c05561a009f9071d355f44f65bd2ad5bb3c0dc4d010ece10f11c13848a9b13333325e70104dd416ee32ee63b8ea6e10ebc836a673

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\fmsybdt\fmsybdt003.IMD

Filesize
401KB

MD5
80dcf1a5f266cf932ceba4ca2cf6cc27

SHA1
7e3fe02024f5bd9450f424517ef48b3c128b6b55

SHA256
b6d15926095916eb8adb3baede77b135e8497c90f8963b9ffc4aa306929ca47a

SHA512
4a97770784634fb68aab90178f9c5323d7457967cc3a881cbd54e004d755c1e3694f4ad913124c544a9e37a9d793425cfc641d4eca2d6d0e23befb391f28306f

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\fmsybdt\fmsybdt004.IMD

Filesize
350KB

MD5
99ad06bb069bbf6112b26d2cda3e8366

SHA1
a2d4d8c62299932fd3b2b7b4089a5641a09595db

SHA256
4e9beabcbd5d3a2ddcf334944c234241d2a7a31e30367bf39fe8e07bfa19c3d0

SHA512
56902926e88b0101cf3b934f22bcf1b2180e4db198dba9043e4e5dd6d68291e8c85535338b6b66c3619eb48665ff339e92ed0c74f8d472f806d98ba7266cb32e

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\fmsybdt\fmsybdt005.IMD

Filesize
336KB

MD5
218b3714cd6afc0566837c5f67fe9725

SHA1
be67c1169ecaa8a0fd12f8e68fd90e27a0a6263a

SHA256
ba8ea92de55d51f48d0d92db8dad671e5db71db8c94c7ec92d98231a31600b4c

SHA512
6063a0359b0ed2655b2652ef3ae4c0b8d0c37a778f2633f37201f3250f76b8433b70e9e76708936e7676118884c6342d5f47550f6d93e986fd674c553be6cca8

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\fmsybdt\fmsybdt006.IMD

Filesize
397KB

MD5
a32d7f2e8fcf790617f983a9eb3e50e8

SHA1
609c55e923a6c966ac722ade6b6fd100a7885602

SHA256
ee325b8fe72296bbdd3780a39c6f281052a31c93fbb74709f0fcfb73f96f876b

SHA512
1e5269b8c96c8cda657b44b5ad0b2522a2af83196364b79e93b970a0538a88c834214a5b44e7b03b4fa866b3f3cc4b31a0a359c54055b01456d748e516ab1001

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\fmsybdt\fmsybdt007.IMD

Filesize
271KB

MD5
0137057dd02b4f1af9d622df9c3cb59e

SHA1
e35d88fe654622c98d86648f90707738dcabf433

SHA256
eaea4a9f03cc5a1a4ff2b1310236e74009c1431e424f3acab08988b001fde174

SHA512
5988c38ba67bf05e138518880a59caaf05c20f129629a29239e8c967a9b6ca09955940525d8b46ffcbed64159a1c5c2a544eff32663fbf9e4e24367ee30b3024

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\fmsybdt\fmsybdt008.IMD

Filesize
131KB

MD5
fdce0871bc1c2b4e8e80cab9b3618242

SHA1
8c4d9ab500a5d8275eb94a2e856331f7fd326fdb

SHA256
da6d1b5d6b40158d24836d4e99f08b156fad3494e2c44887909c158b1cfd3329

SHA512
254a3496d036c7d317283fe18e30488f78a078535cbb415b66e98b5086a2a37f3948c0c5b31e7598c52b8e5347bacf53dbf02864a663a5deaae5f6bd21a81e6a

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\fmsybdt\fmsybdt009.IMD

Filesize
321KB

MD5
b8c8328ab1b969060355cb651cd960df

SHA1
7abd35532662db7799a6fd12a7951bc5ce326615

SHA256
fb987f245be36fd60a50503b83d05b923bfe3cbd03fd050532f22299bdc18a41

SHA512
f132e740c3a80f54096d658e2be3977a20c8d5ac35f3dcbe75c89bdfbbdb659b243ed4ec95f5783509d82e9baef3cce36fa8a5ba6e1b6d15414ffc8fb550364d

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\fmsybdt\fmsybdt010.IMD

Filesize
7B

MD5
c58c4a9d10c3c150f69967b5bb307f16

SHA1
b1eaf7d8cc14cd911aa28a28b8aa284a1f284854

SHA256
2dae8adad1b39a0f19625bd9c7a8f36e68dfa26b0933b8a4cf583618ce7106dc

SHA512
5f18b2a4504d862c0c1f417bc387e4776fb64807e7786f1885368bcc87fd3dbad23a69d078db13ae144cf3fc01a5a047941a76acb3f91c2f1d28f8cfffac2956

Download Submit
memory/1420-55-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3268-65-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3268-63-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3268-56-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3268-70-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3268-58-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3268-59-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3268-60-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3268-61-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3268-69-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3268-64-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3268-62-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3268-0-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3268-66-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3268-67-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3268-68-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5044-54-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download