cab387260f8955529aa9afb76feff4c61e969d66883b21e9687d17bd43a0a789

Analysis

max time kernel
134s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 05:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6496cbf54d708f05509c03f0d6bdbd2e.exe
Size

43KB
MD5

6496cbf54d708f05509c03f0d6bdbd2e
SHA1

07bfc3552304bff2eae2a2e98793ec08a490a167
SHA256

cab387260f8955529aa9afb76feff4c61e969d66883b21e9687d17bd43a0a789
SHA512

bae51b8a0846fc4fef1a09e0b5973c7232b44a3b9bd37f0a056f5731d9507394999a92db034bdaa2ae6455542d427b4d69b28f0093b2aaeb9dae0b5cb54f1403
SSDEEP

768:lse14URoiwNzRrWDJqurhUbOzZrIjmL1WYeTebIjTRV3P/oqqiK:lD44wNzRrWNFh1Cw17cjFZ/ozj

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1404-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1404-8-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1404 set thread context of 2488	1404	6496cbf54d708f05509c03f0d6bdbd2e.exe	88

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2488	6496cbf54d708f05509c03f0d6bdbd2e.exe
2488	6496cbf54d708f05509c03f0d6bdbd2e.exe
2488	6496cbf54d708f05509c03f0d6bdbd2e.exe
2488	6496cbf54d708f05509c03f0d6bdbd2e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	1636	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1404	6496cbf54d708f05509c03f0d6bdbd2e.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 2488	1404	6496cbf54d708f05509c03f0d6bdbd2e.exe	88
PID 1404 wrote to memory of 2488	1404	6496cbf54d708f05509c03f0d6bdbd2e.exe	88
PID 1404 wrote to memory of 2488	1404	6496cbf54d708f05509c03f0d6bdbd2e.exe	88
PID 1404 wrote to memory of 2488	1404	6496cbf54d708f05509c03f0d6bdbd2e.exe	88
PID 1404 wrote to memory of 2488	1404	6496cbf54d708f05509c03f0d6bdbd2e.exe	88
PID 1404 wrote to memory of 2488	1404	6496cbf54d708f05509c03f0d6bdbd2e.exe	88
PID 1404 wrote to memory of 2488	1404	6496cbf54d708f05509c03f0d6bdbd2e.exe	88
PID 2488 wrote to memory of 3436	2488	6496cbf54d708f05509c03f0d6bdbd2e.exe	44
PID 2488 wrote to memory of 3436	2488	6496cbf54d708f05509c03f0d6bdbd2e.exe	44
PID 2488 wrote to memory of 3436	2488	6496cbf54d708f05509c03f0d6bdbd2e.exe	44
PID 2488 wrote to memory of 3436	2488	6496cbf54d708f05509c03f0d6bdbd2e.exe	44

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3436
- C:\Users\Admin\AppData\Local\Temp\6496cbf54d708f05509c03f0d6bdbd2e.exe
  "C:\Users\Admin\AppData\Local\Temp\6496cbf54d708f05509c03f0d6bdbd2e.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Users\Admin\AppData\Local\Temp\6496cbf54d708f05509c03f0d6bdbd2e.exe
    C:\Users\Admin\AppData\Local\Temp\6496cbf54d708f05509c03f0d6bdbd2e.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2488

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1636

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1404-8-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1404-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1636-33-0x000002A446540000-0x000002A446550000-memory.dmp

Filesize
64KB

Download
memory/1636-17-0x000002A446440000-0x000002A446450000-memory.dmp

Filesize
64KB

Download
memory/1636-53-0x000002A44E990000-0x000002A44E991000-memory.dmp

Filesize
4KB

Download
memory/1636-52-0x000002A44E860000-0x000002A44E861000-memory.dmp

Filesize
4KB

Download
memory/1636-51-0x000002A44E860000-0x000002A44E861000-memory.dmp

Filesize
4KB

Download
memory/1636-49-0x000002A44E830000-0x000002A44E831000-memory.dmp

Filesize
4KB

Download
memory/2488-15-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2488-7-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2488-16-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2488-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2488-10-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2488-9-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2488-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3436-12-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download
memory/3436-11-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download