Analysis

  • max time kernel
    0s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 06:35

General

  • Target

    2be023437c9ac2ee5cf5ff59f2755695.exe

  • Size

    121KB

  • MD5

    2be023437c9ac2ee5cf5ff59f2755695

  • SHA1

    fce23cea7072b64f26e93c4d22e110313e373c45

  • SHA256

    95b9b425ba1ba1a3033854240482ebafbe574717fe656b6642e13a29acdf683b

  • SHA512

    3a0a6c0a88466eed5facb3ff19e33fc302e7c0e7d09595001df7261a63bb3507eb70b98c2ba1d5aea6c23d4fa4146b5daf0292954550093146f072822c553cf5

  • SSDEEP

    3072:QCbOc4Mx4WckUmgAsOxIYcNmqr5pHkDdKblcd8A5RxfF70H5:Q9qxf+ArxIYgrHgKRcN5RxN70H5

Score
7/10
upx

Malware Config

Signatures

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2be023437c9ac2ee5cf5ff59f2755695.exe
    "C:\Users\Admin\AppData\Local\Temp\2be023437c9ac2ee5cf5ff59f2755695.exe"
    1⤵
      PID:5004
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
        2⤵
          PID:3756
          • C:\Windows\SysWOW64\cacls.exe
            "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\SMSS.EXE /e /t /g Admin:F
            3⤵
              PID:3904
            • C:\ntfsus.exe
              C:\ntfsus.exe
              3⤵
                PID:4528
              • C:\Windows\SysWOW64\com\LSASS.EXE
                "C:\Windows\system32\com\LSASS.EXE"
                3⤵
                  PID:1900
                  • C:\ntfsus.exe
                    "C:\ntfsus.exe"
                    4⤵
                      PID:4888
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd.exe /c rd /s /q "C:\ntfsus.exe"
                      4⤵
                        PID:3860
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd.exe /c rd /s /q "C:\Windows\system32\com\bak"
                        4⤵
                          PID:4044
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd.exe /c "C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE^|E:\pagefile.pif"
                          4⤵
                            PID:4348
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd.exe /c "C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE^|D:\pagefile.pif"
                            4⤵
                              PID:3028
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd.exe /c "C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE^|C:\pagefile.pif"
                              4⤵
                                PID:3016
                              • C:\Windows\SysWOW64\ping.exe
                                ping.exe -f -n 1 www.baidu.com
                                4⤵
                                • Runs ping.exe
                                PID:3460
                              • C:\Windows\SysWOW64\ping.exe
                                ping.exe -f -n 1 www.baidu.com
                                4⤵
                                • Runs ping.exe
                                PID:4216
                              • C:\Windows\SysWOW64\ping.exe
                                ping.exe -f -n 1 www.baidu.com
                                4⤵
                                • Runs ping.exe
                                PID:4340
                              • C:\Windows\SysWOW64\ping.exe
                                ping.exe -f -n 1 www.baidu.com
                                4⤵
                                • Runs ping.exe
                                PID:3968
                            • C:\Windows\SysWOW64\cacls.exe
                              "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\LSASS.EXE /e /t /g Admin:F
                              3⤵
                                PID:3736
                              • C:\Windows\SysWOW64\cacls.exe
                                "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
                                3⤵
                                  PID:2456
                            • C:\Windows\SysWOW64\com\SMSS.EXE
                              C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
                              1⤵
                                PID:4884
                              • C:\ntfsus.exe
                                C:\ntfsus.exe
                                1⤵
                                  PID:3012
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd.exe /c rd /s /q "C:\ntfsus.exe"
                                  1⤵
                                    PID:4696
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd.exe /c rd /s /q "C:\Windows\system32\com\SMSS.EXE"
                                    1⤵
                                      PID:4836
                                    • C:\Windows\SysWOW64\cacls.exe
                                      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\SMSS.EXE /e /t /g Admin:F
                                      1⤵
                                        PID:3284
                                      • C:\Windows\SysWOW64\cacls.exe
                                        "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\LSASS.EXE /e /t /g Admin:F
                                        1⤵
                                          PID:4504
                                        • C:\Windows\SysWOW64\cacls.exe
                                          "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
                                          1⤵
                                            PID:4312
                                          • C:\Windows\SysWOW64\com\SMSS.EXE
                                            C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE|E:\pagefile.pif
                                            1⤵
                                              PID:4208
                                            • C:\Windows\SysWOW64\com\SMSS.EXE
                                              C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE|D:\pagefile.pif
                                              1⤵
                                                PID:1512
                                              • C:\Windows\SysWOW64\com\SMSS.EXE
                                                C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE|C:\pagefile.pif
                                                1⤵
                                                  PID:1436

                                                Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

                                                  Filesize

                                                  108KB

                                                  MD5

                                                  17d153406cc418082ea2191c9dc30e24

                                                  SHA1

                                                  a8a224e1cacb0de47050c89dd2c62b67fd2d4552

                                                  SHA256

                                                  4203c7d12901250d7d3189360e855906665355f273fb83ad116cb27352f7a5a4

                                                  SHA512

                                                  be3326db5be4d7dcb2d3d4c59470e31e6064e96049cdecd1352347539840ad0732011b367c359d76e511659ded0259871164ff522070db66abdf8eee01eefac7

                                                • memory/5004-0-0x0000000000400000-0x0000000000423000-memory.dmp

                                                  Filesize

                                                  140KB

                                                • memory/5004-32-0x0000000000400000-0x0000000000423000-memory.dmp

                                                  Filesize

                                                  140KB