3c1d20a16974c5be141e79cecc4df79648e1c23f7df1eae46bf9bb982ebea808

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64f3fff4ef95238129739d61f3e3d433.exe
Size

720KB
MD5

64f3fff4ef95238129739d61f3e3d433
SHA1

3e3b8de22d27364ddcbc389a00273684275e5247
SHA256

3c1d20a16974c5be141e79cecc4df79648e1c23f7df1eae46bf9bb982ebea808
SHA512

4daec2daf455b4da2895a23fac1fe9a83cabb875448077093b3646819a15fcffb8ed5208b745ba4efdf1b0bba60392e83f5c596a4dc48163b97bcb03f24dba88
SSDEEP

12288:tUFlby45O0m5YeJJNTJrq21lmSxxj9+CWAckbq8Wj+JnoeD/eaeXAmTSbf+vG0s:tUvby4w0m5YeTJrqkmS/B+pATq8WeneG

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2720	64f3fff4ef95238129739d61f3e3d433.exe

Executes dropped EXE 1 IoCs

pid	Process
2720	64f3fff4ef95238129739d61f3e3d433.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4064-0-0x0000000000400000-0x00000000005DC000-memory.dmp	upx
behavioral2/memory/2720-14-0x0000000000400000-0x00000000005DC000-memory.dmp	upx
behavioral2/files/0x000600000001e5df-12.dat	upx

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
448	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4064	64f3fff4ef95238129739d61f3e3d433.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4064	64f3fff4ef95238129739d61f3e3d433.exe
2720	64f3fff4ef95238129739d61f3e3d433.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4064 wrote to memory of 2720	4064	64f3fff4ef95238129739d61f3e3d433.exe	98
PID 4064 wrote to memory of 2720	4064	64f3fff4ef95238129739d61f3e3d433.exe	98
PID 4064 wrote to memory of 2720	4064	64f3fff4ef95238129739d61f3e3d433.exe	98
PID 2720 wrote to memory of 448	2720	64f3fff4ef95238129739d61f3e3d433.exe	91
PID 2720 wrote to memory of 448	2720	64f3fff4ef95238129739d61f3e3d433.exe	91
PID 2720 wrote to memory of 448	2720	64f3fff4ef95238129739d61f3e3d433.exe	91
PID 2720 wrote to memory of 2724	2720	64f3fff4ef95238129739d61f3e3d433.exe	97
PID 2720 wrote to memory of 2724	2720	64f3fff4ef95238129739d61f3e3d433.exe	97
PID 2720 wrote to memory of 2724	2720	64f3fff4ef95238129739d61f3e3d433.exe	97
PID 2724 wrote to memory of 2248	2724	cmd.exe	93
PID 2724 wrote to memory of 2248	2724	cmd.exe	93
PID 2724 wrote to memory of 2248	2724	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\64f3fff4ef95238129739d61f3e3d433.exe
"C:\Users\Admin\AppData\Local\Temp\64f3fff4ef95238129739d61f3e3d433.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Users\Admin\AppData\Local\Temp\64f3fff4ef95238129739d61f3e3d433.exe
  C:\Users\Admin\AppData\Local\Temp\64f3fff4ef95238129739d61f3e3d433.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2720

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\64f3fff4ef95238129739d61f3e3d433.exe" /TN 0Su7L8S745c1 /F
1⤵
- Creates scheduled task(s)
PID:448

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN 0Su7L8S745c1
1⤵
PID:2248

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c schtasks.exe /Query /XML /TN 0Su7L8S745c1 > C:\Users\Admin\AppData\Local\Temp\I3UxczDr.xml
1⤵
- Suspicious use of WriteProcessMemory
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\64f3fff4ef95238129739d61f3e3d433.exe

Filesize
720KB

MD5
e8f4c1e8734cfd20ca8d8a4359edaf0d

SHA1
c4b3eec78091865fa184606ee527409e4f91c8aa

SHA256
eec89568dc48dfd72becc07bc0cea7c731fc6d0dc128a247b7e4485f01c2f7e7

SHA512
3d23ea4c829677b0345519a4692546413d5500767f2f8b04046d02df21a7644a82b678d79d80199f2707b9091f540a24887e6af602d117069c69b9c702f22905

Download Submit
C:\Users\Admin\AppData\Local\Temp\I3UxczDr.xml

Filesize
1KB

MD5
ca56de79af04b7152b23351318697a38

SHA1
4d985718263ec765499bda4f2ac5037e55293d3b

SHA256
8f0790beedf04cfcb549a9c8a11fda5be2aaf05b55d833a2d255f6cdb37fcad9

SHA512
caef878a9d7dbb0e0eb34e9e061ff8a982f23f5ad4b1db716abfd95d6b7176218536e52f7959bb424d0691bc177a46108549a28e712b293dd50f174ceb21ad44

Download Submit
memory/2720-17-0x0000000001750000-0x00000000017C7000-memory.dmp

Filesize
476KB

Download
memory/2720-14-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2720-23-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2720-22-0x00000000004D0000-0x0000000000536000-memory.dmp

Filesize
408KB

Download
memory/2720-32-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/4064-0-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/4064-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4064-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4064-1-0x00000000015E0000-0x0000000001657000-memory.dmp

Filesize
476KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads