62db270b2d0a8af52f2a1ecba12f63e49a20b4ae1544c1ff66b583eedaa637a6

Analysis

max time kernel
3s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2024 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

610eddef44af9c3788502c36841e580e.exe
Size

452KB
MD5

610eddef44af9c3788502c36841e580e
SHA1

bc810507b217e04a37ac0bf1f513741153625841
SHA256

62db270b2d0a8af52f2a1ecba12f63e49a20b4ae1544c1ff66b583eedaa637a6
SHA512

c27e403259155513f8b2ab844f6c3932dd319ce6976d9a0e2bb3eae58a209fce8a76e05529b144499b6b7aaa0514bdcd87613dcf7a5c42c4ece4cebdafa22a07
SSDEEP

12288:sYU476vtic2xSNc8DtoQRWIvf5qZ4KAlPfEOX:nutj22c8RVWFZ3ARsOX

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4776	jm9su7UE.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3136-53-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3136-51-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3136-50-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3136-47-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
380	tasklist.exe
996	tasklist.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4776	jm9su7UE.exe
4776	jm9su7UE.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
428	610eddef44af9c3788502c36841e580e.exe
4776	jm9su7UE.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 428 wrote to memory of 4776	428	610eddef44af9c3788502c36841e580e.exe	26
PID 428 wrote to memory of 4776	428	610eddef44af9c3788502c36841e580e.exe	26
PID 428 wrote to memory of 4776	428	610eddef44af9c3788502c36841e580e.exe	26

C:\Users\Admin\AppData\Local\Temp\610eddef44af9c3788502c36841e580e.exe
"C:\Users\Admin\AppData\Local\Temp\610eddef44af9c3788502c36841e580e.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:428
- C:\Users\Admin\jm9su7UE.exe
  C:\Users\Admin\jm9su7UE.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4776
- - C:\Users\Admin\wuapeav.exe
    "C:\Users\Admin\wuapeav.exe"
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del jm9su7UE.exe
    3⤵
    PID:4816
- C:\Users\Admin\bqhost.exe
  C:\Users\Admin\bqhost.exe
  2⤵
  PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:5080
- C:\Users\Admin\auhost.exe
  C:\Users\Admin\auhost.exe
  2⤵
  PID:224
- C:\Users\Admin\elhost.exe
  C:\Users\Admin\elhost.exe
  2⤵
  PID:3576
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c tasklist&&del 610eddef44af9c3788502c36841e580e.exe
  2⤵
  PID:3188

C:\Windows\SysWOW64\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:380

C:\Users\Admin\auhost.exe
"C:\Users\Admin\auhost.exe"
1⤵
PID:3136

C:\Windows\SysWOW64\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\jm9su7UE.exe

Filesize
125KB

MD5
2f8679397dc7c8646c3de58d069c2434

SHA1
36b21b6a0d1ab545786994c24863068bb6aefdb1

SHA256
17c4e2f87609a8428efeddf36ad7da757abb4ee1266aeaab5bb99cb0128ac88f

SHA512
9c732f4ab2462964652219b1d03512f025615379d0955233c1a3217b818b730a3f88ba5e970ea660b6210f030e349199823ab0a806d5e0c5bb1fb5c8c9fb617a

Download Submit
C:\Users\Admin\jm9su7UE.exe

Filesize
32KB

MD5
351e1f54628c28cc480592694790276a

SHA1
2c9ca32b3fd47b01fe3f9705f7fc4c1f8a21cedf

SHA256
426030aba6497d453167ab602893ae0b86c1271610edb8ea211c32087a9a5bc3

SHA512
f050206f0584f5cc93f48bf7513c94524cca5d1a698638e5b031104e605c6ad8cdf10a5014945305bb75666c57ce593f80c7f1c8eddf8e433c183ef12cd966c7

Download Submit
C:\Users\Admin\wuapeav.exe

Filesize
32KB

MD5
fc47ab33256092a5433a046c3871d4e8

SHA1
cf881002082449e6b247d431c98edf6bed887d88

SHA256
7fd67d193aedac1a990254eea08e9934b88d557110f4f0868a9a8aa7876e2e0f

SHA512
b1b2e79008400e5c6e84798f414bb61710583615be80ab2172aff08d901dd3e619ed67d92f3927b33fe056abae45f3b2a936ec80ec8b07fd705a946868af4c7d

Download Submit
memory/2340-62-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2340-64-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2340-66-0x0000000002840000-0x0000000002887000-memory.dmp

Filesize
284KB

Download
memory/2340-57-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/2340-58-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2340-59-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2340-60-0x0000000002840000-0x0000000002887000-memory.dmp

Filesize
284KB

Download
memory/2340-61-0x0000000002D10000-0x0000000002D11000-memory.dmp

Filesize
4KB

Download
memory/3136-51-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3136-47-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3136-50-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3136-53-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download