945c068ac658fa8592285fb423014069dc6d4796c72b30230eebbef681a27bd3

Analysis

max time kernel
12s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

269393f3a37ee309fe6014e2169130f8.exe
Size

9.0MB
MD5

269393f3a37ee309fe6014e2169130f8
SHA1

cf385d5d68776d2e53779f619793319a76e9e79c
SHA256

945c068ac658fa8592285fb423014069dc6d4796c72b30230eebbef681a27bd3
SHA512

b2b7a30ecad0d9d1fc677a71e21f82d612b2159559f0aa18db14969491f27541c500160acc570e7522c39c0f087074c425161e1e54690429ef2e83764ef2763a
SSDEEP

98304:jjBxcO4EYTj5OrOO53AsRXKIabjKoh9WsWsOIgoSNakDmBt:jjBxcO4jj5WD53931ItDj

Score

8^/10

persistence upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\ETC\HOSTS\HOSTS	269393f3a37ee309fe6014e2169130f8.exe
File opened for modification	C:\Windows\system32\Drivers\ETC\HOSTS	269393f3a37ee309fe6014e2169130f8.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4956-0-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/files/0x0008000000023206-5.dat	upx
behavioral2/memory/4956-430-0x0000000000400000-0x0000000000450000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\System Database Administration Service = "C:\\Windows\\system32\\DbTasker.exe"	269393f3a37ee309fe6014e2169130f8.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dbexe2.dll	269393f3a37ee309fe6014e2169130f8.exe
File created	C:\Windows\SysWOW64\LockFile.dat	269393f3a37ee309fe6014e2169130f8.exe
File created	C:\Windows\SysWOW64\DbTasker.exe	269393f3a37ee309fe6014e2169130f8.exe
File opened for modification	C:\Windows\SysWOW64\DbTasker.exe	269393f3a37ee309fe6014e2169130f8.exe
File created	C:\Windows\SysWOW64\hal.dll	269393f3a37ee309fe6014e2169130f8.exe
File created	C:\Windows\SysWOW64\DBTASK.EXE	269393f3a37ee309fe6014e2169130f8.exe
File created	C:\Windows\SysWOW64\dbzip2.dll	269393f3a37ee309fe6014e2169130f8.exe

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	269393f3a37ee309fe6014e2169130f8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	269393f3a37ee309fe6014e2169130f8.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	269393f3a37ee309fe6014e2169130f8.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	269393f3a37ee309fe6014e2169130f8.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	269393f3a37ee309fe6014e2169130f8.exe
File created	\??\c:\program files\common files\microsoft shared\clicktorun\WinAmp 5.08 FULL.zip .exe	269393f3a37ee309fe6014e2169130f8.exe
File created	\??\c:\program files\common files\microsoft shared\clicktorun\Visual Studio .NET FULL.zip .cpl	269393f3a37ee309fe6014e2169130f8.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	269393f3a37ee309fe6014e2169130f8.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\createdump.exe	269393f3a37ee309fe6014e2169130f8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	269393f3a37ee309fe6014e2169130f8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	269393f3a37ee309fe6014e2169130f8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	269393f3a37ee309fe6014e2169130f8.exe
File created	\??\c:\program files\common files\microsoft shared\clicktorun\Kazaa Lite 2005 Edition.rar .pif	269393f3a37ee309fe6014e2169130f8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	269393f3a37ee309fe6014e2169130f8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	269393f3a37ee309fe6014e2169130f8.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	269393f3a37ee309fe6014e2169130f8.exe
File created	\??\c:\program files\common files\microsoft shared\clicktorun\Pamela Anderson FULL VIDEO.mpg .scr	269393f3a37ee309fe6014e2169130f8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	269393f3a37ee309fe6014e2169130f8.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\createdump.exe	269393f3a37ee309fe6014e2169130f8.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	269393f3a37ee309fe6014e2169130f8.exe
File created	\??\c:\program files\common files\microsoft shared\clicktorun\How to stop NetSky.doc .exe	269393f3a37ee309fe6014e2169130f8.exe
File created	\??\c:\program files\common files\microsoft shared\clicktorun\HalfLife 2 WORKING Steam Activation crack.zip .exe	269393f3a37ee309fe6014e2169130f8.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	269393f3a37ee309fe6014e2169130f8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	269393f3a37ee309fe6014e2169130f8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	269393f3a37ee309fe6014e2169130f8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	269393f3a37ee309fe6014e2169130f8.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	269393f3a37ee309fe6014e2169130f8.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	269393f3a37ee309fe6014e2169130f8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	269393f3a37ee309fe6014e2169130f8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	269393f3a37ee309fe6014e2169130f8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	269393f3a37ee309fe6014e2169130f8.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	269393f3a37ee309fe6014e2169130f8.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	269393f3a37ee309fe6014e2169130f8.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	269393f3a37ee309fe6014e2169130f8.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\WinTask.zip	269393f3a37ee309fe6014e2169130f8.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4196	4956	WerFault.exe	22

NTFS ADS 14 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\,]ÂuLêdc:\program files\common files\microsoft shared\clicktorun\Hacking and Virus Writing for Dummies.pdf .exe	269393f3a37ee309fe6014e2169130f8.exe
File created	C:\Users\Admin\AppData\Local\Temp\èlƒc:\program files\common files\microsoft shared\clicktorun\Windows 2000.iso .com	269393f3a37ee309fe6014e2169130f8.exe
File created	C:\Users\Admin\AppData\Local\Temp\„ædc:\program files\common files\microsoft shared\clicktorun\Windows XP SP3 REAL VERSION.zip .exe	269393f3a37ee309fe6014e2169130f8.exe
File created	C:\Users\Admin\AppData\Local\Temp\c:\program files\common files\microsoft shared\clicktorun\NORTON Internet security 2006.rar .scr	269393f3a37ee309fe6014e2169130f8.exe
File created	C:\Users\Admin\AppData\Local\Temp\ c:\program files\common files\microsoft shared\clicktorun\Matrix Reloaded.avi .exe	269393f3a37ee309fe6014e2169130f8.exe
File created	C:\Users\Admin\AppData\Local\Temp\³ƒWðédc:\program files\common files\microsoft shared\clicktorun\WinRAR 4.01 Cracked BETA.exe	269393f3a37ee309fe6014e2169130f8.exe
File created	C:\Users\Admin\AppData\Local\Temp\c:\program files\common files\microsoft shared\clicktorun\Internet Explorer 7 FULL BETA.exe	269393f3a37ee309fe6014e2169130f8.exe
File created	C:\Users\Admin\AppData\Local\Temp\ÿc:\program files\common files\microsoft shared\clicktorun\Norton AntiVirus 2006 BETA.rar .exe	269393f3a37ee309fe6014e2169130f8.exe
File created	C:\Users\Admin\AppData\Local\Temp\Üdc:\program files\common files\microsoft shared\clicktorun\Playboy centerfold HOT.gif .scr	269393f3a37ee309fe6014e2169130f8.exe
File created	C:\Users\Admin\AppData\Local\Temp\ÿc:\program files\common files\microsoft shared\clicktorun\DVD Xcopy PRO Illegal Warez.iso .exe	269393f3a37ee309fe6014e2169130f8.exe
File created	C:\Users\Admin\AppData\Local\Temp\àýƒc:\program files\common files\microsoft shared\clicktorun\Full warez download sites.html .pif	269393f3a37ee309fe6014e2169130f8.exe
File created	C:\Users\Admin\AppData\Local\Temp\c:\program files\common files\microsoft shared\clicktorun\Hacking for Dummies.pdf .cpl	269393f3a37ee309fe6014e2169130f8.exe
File created	C:\Users\Admin\AppData\Local\Temp\ c:\program files\common files\microsoft shared\clicktorun\Windows XP SP2 WORKING activation crack.zip .exe	269393f3a37ee309fe6014e2169130f8.exe
File created	C:\Users\Admin\AppData\Local\Temp\¼ý£©jDªé³Úí #Ru ÑNuœÜdc:\program files\common files\microsoft shared\clicktorun\Windows XP SECRET DEVELOPER serials.txt .cmd	269393f3a37ee309fe6014e2169130f8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe
4956	269393f3a37ee309fe6014e2169130f8.exe

C:\Users\Admin\AppData\Local\Temp\269393f3a37ee309fe6014e2169130f8.exe
"C:\Users\Admin\AppData\Local\Temp\269393f3a37ee309fe6014e2169130f8.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 3248
  2⤵
  - Program crash
  PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4956 -ip 4956
1⤵
PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4956-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4956-430-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download