6b8438b681999bab58a9ae040254bf0e3909d04568f070e46bbb21796dbe908d

Analysis

max time kernel
147s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5271418db637de150018c0c4f5b40ae6.exe
Size

473KB
MD5

5271418db637de150018c0c4f5b40ae6
SHA1

9f1cd9b5e8cad2d00d9b35abb33d4299ee3be989
SHA256

6b8438b681999bab58a9ae040254bf0e3909d04568f070e46bbb21796dbe908d
SHA512

5db108a811ab3c3b10c473bf00d94648058cc38571e57590a5aa6e370c62477d819ade7f2c6f268924d3e43062769377d81b8fa8f58e26335e8f4ffcead19a4b
SSDEEP

12288:qrzg6zr/IyX+mKT0LE89FRzAZ92QxT2puMODryI4foO:qPgyhKT0LE8XREpxT2puPHyIO

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4648	5271418db637de150018c0c4f5b40ae6.exe

Executes dropped EXE 1 IoCs

pid	Process
4648	5271418db637de150018c0c4f5b40ae6.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3496-0-0x0000000000400000-0x00000000005DC000-memory.dmp	upx
behavioral2/files/0x000300000001e715-12.dat	upx
behavioral2/memory/4648-14-0x0000000000400000-0x00000000005DC000-memory.dmp	upx

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3880	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3496	5271418db637de150018c0c4f5b40ae6.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3496	5271418db637de150018c0c4f5b40ae6.exe
4648	5271418db637de150018c0c4f5b40ae6.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 4648	3496	5271418db637de150018c0c4f5b40ae6.exe	91
PID 3496 wrote to memory of 4648	3496	5271418db637de150018c0c4f5b40ae6.exe	91
PID 3496 wrote to memory of 4648	3496	5271418db637de150018c0c4f5b40ae6.exe	91
PID 4648 wrote to memory of 3880	4648	5271418db637de150018c0c4f5b40ae6.exe	92
PID 4648 wrote to memory of 3880	4648	5271418db637de150018c0c4f5b40ae6.exe	92
PID 4648 wrote to memory of 3880	4648	5271418db637de150018c0c4f5b40ae6.exe	92
PID 4648 wrote to memory of 5056	4648	5271418db637de150018c0c4f5b40ae6.exe	95
PID 4648 wrote to memory of 5056	4648	5271418db637de150018c0c4f5b40ae6.exe	95
PID 4648 wrote to memory of 5056	4648	5271418db637de150018c0c4f5b40ae6.exe	95
PID 5056 wrote to memory of 2488	5056	cmd.exe	97
PID 5056 wrote to memory of 2488	5056	cmd.exe	97
PID 5056 wrote to memory of 2488	5056	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\5271418db637de150018c0c4f5b40ae6.exe
"C:\Users\Admin\AppData\Local\Temp\5271418db637de150018c0c4f5b40ae6.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Users\Admin\AppData\Local\Temp\5271418db637de150018c0c4f5b40ae6.exe
  C:\Users\Admin\AppData\Local\Temp\5271418db637de150018c0c4f5b40ae6.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\5271418db637de150018c0c4f5b40ae6.exe" /TN aMYATtOZda0c /F
    3⤵
    - Creates scheduled task(s)
    PID:3880
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN aMYATtOZda0c > C:\Users\Admin\AppData\Local\Temp\cGWDQ.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN aMYATtOZda0c
      4⤵
      PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5271418db637de150018c0c4f5b40ae6.exe

Filesize
473KB

MD5
5b24b9b7eabf97783aa0ae519e1f2bdf

SHA1
58a7151df35c641300948c8cff7ac8a7e8011c81

SHA256
d0cb10f36da40346fb67314ce48f9cc7f5af0272c804b474a65462803cba631b

SHA512
b68919b68fb90902d6c027ce5a653e06bb09802f9c2a8a8e6157a69e00b04e3b29c4080270d440762c302bd619725168c239e7d560235a53d2107a6df3a29cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cGWDQ.xml

Filesize
1KB

MD5
50acfe0bc393b69600ebd993080b4d00

SHA1
3e53cb6a799be343409afe9f7f4eabc689b5f24c

SHA256
b9e1c2cf609a4ac6aadd3ef2b735f767a8ae2446325872189441d91e20c7159c

SHA512
5f9b221f69615e6933829bd0415ea4fd5ee0dc54696e7a3fcaee78146a80e97b426dd4ab711cf8e8c21283185cab6b85f74e5b3cc8d5db895a1f24c7866eb4cc

Download Submit
memory/3496-0-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/3496-1-0x00000000015E0000-0x0000000001657000-memory.dmp

Filesize
476KB

Download
memory/3496-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3496-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4648-14-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/4648-17-0x00000000015E0000-0x0000000001657000-memory.dmp

Filesize
476KB

Download
memory/4648-22-0x0000000000520000-0x0000000000586000-memory.dmp

Filesize
408KB

Download
memory/4648-23-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4648-32-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads