1d9bb08018966e4cd74739c15025a234d671c528a96ec5a6599efd5270d03d18

Analysis

max time kernel
141s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
10/01/2024, 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50b90025d642110ad81263dbcca870b0.exe
Size

2.5MB
MD5

50b90025d642110ad81263dbcca870b0
SHA1

8058050ec4aa6c7ef08429d8fc5fe0ddbae057b3
SHA256

1d9bb08018966e4cd74739c15025a234d671c528a96ec5a6599efd5270d03d18
SHA512

64f09699eb04905edd6869adad51a6cf214966cafbe9c2f8a69e4c634782e0a0018456f54a5794833c93032c4a934667bad3fab22b76e953ce37f5ac10477187
SSDEEP

49152:6h+ITG1IpIzNYnnkKNX/1irE8zhd0W5E2ibtXbYm7MxvA3Bv9:6EIT8IIxUNXYrE8FZ5JIeK19

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2936	autorun.exe

Loads dropped DLL 1 IoCs

pid	Process
2220	50b90025d642110ad81263dbcca870b0.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000016e24-108.dat	upx
behavioral1/memory/2220-110-0x0000000003230000-0x0000000003541000-memory.dmp	upx
behavioral1/files/0x0006000000016e24-112.dat	upx
behavioral1/files/0x0006000000016e24-111.dat	upx
behavioral1/memory/2936-114-0x0000000000400000-0x0000000000711000-memory.dmp	upx
behavioral1/files/0x0006000000016e24-113.dat	upx
behavioral1/memory/2936-121-0x0000000000400000-0x0000000000711000-memory.dmp	upx
behavioral1/memory/2936-123-0x0000000000400000-0x0000000000711000-memory.dmp	upx
behavioral1/memory/2936-124-0x0000000000400000-0x0000000000711000-memory.dmp	upx
behavioral1/memory/2936-125-0x0000000000400000-0x0000000000711000-memory.dmp	upx
behavioral1/memory/2936-126-0x0000000000400000-0x0000000000711000-memory.dmp	upx
behavioral1/memory/2936-127-0x0000000000400000-0x0000000000711000-memory.dmp	upx
behavioral1/memory/2936-128-0x0000000000400000-0x0000000000711000-memory.dmp	upx
behavioral1/memory/2936-129-0x0000000000400000-0x0000000000711000-memory.dmp	upx
behavioral1/memory/2936-130-0x0000000000400000-0x0000000000711000-memory.dmp	upx
behavioral1/memory/2936-131-0x0000000000400000-0x0000000000711000-memory.dmp	upx
behavioral1/memory/2936-132-0x0000000000400000-0x0000000000711000-memory.dmp	upx
behavioral1/memory/2936-133-0x0000000000400000-0x0000000000711000-memory.dmp	upx
behavioral1/memory/2936-134-0x0000000000400000-0x0000000000711000-memory.dmp	upx
behavioral1/memory/2936-135-0x0000000000400000-0x0000000000711000-memory.dmp	upx
behavioral1/memory/2936-136-0x0000000000400000-0x0000000000711000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2936	autorun.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2220	50b90025d642110ad81263dbcca870b0.exe
2220	50b90025d642110ad81263dbcca870b0.exe
2936	autorun.exe
2936	autorun.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2936	2220	50b90025d642110ad81263dbcca870b0.exe	28
PID 2220 wrote to memory of 2936	2220	50b90025d642110ad81263dbcca870b0.exe	28
PID 2220 wrote to memory of 2936	2220	50b90025d642110ad81263dbcca870b0.exe	28
PID 2220 wrote to memory of 2936	2220	50b90025d642110ad81263dbcca870b0.exe	28
PID 2220 wrote to memory of 2936	2220	50b90025d642110ad81263dbcca870b0.exe	28
PID 2220 wrote to memory of 2936	2220	50b90025d642110ad81263dbcca870b0.exe	28
PID 2220 wrote to memory of 2936	2220	50b90025d642110ad81263dbcca870b0.exe	28

C:\Users\Admin\AppData\Local\Temp\50b90025d642110ad81263dbcca870b0.exe
"C:\Users\Admin\AppData\Local\Temp\50b90025d642110ad81263dbcca870b0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
  "C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\50b90025d642110ad81263dbcca870b0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\xp.btn

Filesize
1KB

MD5
3141a5fadf059c58f84700d663a4157d

SHA1
a5f75fdb8a3a5b1ecd29b6814ce8140d4ec77160

SHA256
1f6b8209eafd4354f52aff3e9fd534dc3c319c1871abb861c7cb7522bafd3230

SHA512
084bcd429fd41091a9bd04ad393e2cc7d31e8688c33d7970c4a01fa111ebcfaf11eabfd6707ead570e93e77a4d0c570daf3c891bd7eb6411a3fe78d4f9cd63cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\exit.png

Filesize
1KB

MD5
421ed8d0981489463fc473d5c040447e

SHA1
42ecc574b5ed7c39641162b3e611d8321c57d7e2

SHA256
d14372c13c69f8b8abe31258b38befbfb8c12d3c261fbf92f9f3309d1c7ebcd8

SHA512
c3ad780b5470519e8b94365ba9414d56743525fd8a5a5623fed39ae8219e1c9c2dfcf331704ac6628cd09c140c69975c833d7fdd3d09e924279a178569e1747a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\header6.png

Filesize
2KB

MD5
df6666b1d7466f8496259a2e42de8cd1

SHA1
bac5bf34ac08ee516dce3f4eb91bb891986903d8

SHA256
0f9b746f5496d339cd54dc5b6a4cc015fa069ff10554b81e0027499ece4ad975

SHA512
1827a6a74798f0c81a41ed30ef544a9fabf5fdc045c79ec2801a267623f1cc23f7648e72d33d0482cf22bc56046a8ca653935ab61a6a7cbaffe797afa59d7308

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\my_computer.png

Filesize
21KB

MD5
1e9915377dedb0ce263599c2cf5d055f

SHA1
2710df3ae7fab55cc6d54d146f373cc823992dfc

SHA256
6e1b902056755a9cd7027ec351f675706aa2ca2dc0210a61b0bd4e0ffcabb1db

SHA512
073a61feb28cdb3a5f90382fe936f8949e5631b906161698e81a3d4d4672ee93ab93a02537b2b866cde82ed912ecfcaf50f05114057203d49c961c388b37392d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd

Filesize
60KB

MD5
8869778e531fd5fedd753be0678782b6

SHA1
6a205e45a518ffce7a46ae392096e085ed187a65

SHA256
cbfef5ad40e7d46b932d5c7d5c98f6af3fe53e3ffd3ff74a33908f58466cc319

SHA512
e2f7779cebed4b19e37e20e384de3c768c7799ed542e735918a37c4c4ea20d4edacdc5121579c95dbebfcfe538274886a6c8bc13caef29fcd383aa61ccb1760e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
94KB

MD5
0468ae90d4fb22f26cc8e960131e2b99

SHA1
ba23d051bf5f2aac1e80709f4ef8e504d9b96282

SHA256
2ecde37d3b1aa808507ee66d4bb3844f5c651b548338fe043bfe509b5bcbc281

SHA512
0513b7c524c70597ee921640f56121293289f1890be77ae535bcab071b022affd934d7e13faf78a92f57d6b0bf3e18bc161205de88420130733762ea8e487bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
114KB

MD5
77ffbf87b4131e6ba1351e78cc740684

SHA1
a5de587e5521887b33d470415a5e6ded356aee90

SHA256
bc5af848d5702f347713ab99d379438ae8bc086286755a30ec88721a291a9780

SHA512
7074680432473c1a4247ab314d76aaca93e31a8a20278833c5fa45a21bc896dc08139d4a9246c56301a27b661127ef20f7a114b7c89c28e205bd200f950e1d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
58KB

MD5
a6a5373fb0f80ac569f655876bc03bc6

SHA1
52ea9f765f4586b50b3a619712cc1bdedf3bda71

SHA256
12384c10897edd6eab46c42519607b569431e70f30accf91a3f6a19a27d56cc6

SHA512
6312743813491682bd513308ca122633e75bb093dfd68907aee8b91be6a296cb346c4e498dd2d61828650de1d9e85fddcf84b3610656f67e640a062d4833491a

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
1021KB

MD5
264b62e7dabd98410afd1904774f9f78

SHA1
876f3121ed62598499197c96dd77f40c1dd93f25

SHA256
045a4bd29603c46c9e97dd5a8ab6bdc016149736cb887e63f0d8f1f27e40c0a3

SHA512
fe24ce822f66daec8d92c465fbd9bfe53d6ffd4c9a82f20d3add2202c95ba0d4e72fc38b8a7061aa4fd877341067fa965e4c8967ac017406f0ffeafa4af03976

Download Submit
memory/2220-122-0x0000000003230000-0x0000000003541000-memory.dmp

Filesize
3.1MB

Download
memory/2220-110-0x0000000003230000-0x0000000003541000-memory.dmp

Filesize
3.1MB

Download
memory/2936-128-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/2936-130-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/2936-123-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/2936-124-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/2936-125-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/2936-126-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/2936-121-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/2936-127-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/2936-129-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/2936-114-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/2936-131-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/2936-132-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/2936-133-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/2936-134-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/2936-135-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/2936-136-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download