926aa33cbde79a3cf1e3c6dd05e8e1941e4da385c10caf43cab8749b5c5801d4

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/01/2024, 18:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6ffa929ab7eb3dcbeb80e580b47f7b1c.exe
Size

440KB
MD5

6ffa929ab7eb3dcbeb80e580b47f7b1c
SHA1

a4e798ca9e7de1e3d66682e6deb9e7440e4862f0
SHA256

926aa33cbde79a3cf1e3c6dd05e8e1941e4da385c10caf43cab8749b5c5801d4
SHA512

e154cfecc33e5c92000287030c89d304bca3d5ec56ae206ebbc5969926c4cfcd482d00aef6ab437abff9c3b147ef87029a253eb288be1710639c355d83f6e9f5
SSDEEP

12288:73psRRozCi7GeMK7kW6a7uc0fmNnQdfD4Mp1xQWGIyZLbaiGUE:bpsjoui7G7K7V7u8QdbDQWpyFa3

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4108	winvnc.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4692-0-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4692-46-0x0000000000400000-0x0000000000490000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4692-46-0x0000000000400000-0x0000000000490000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4692	6ffa929ab7eb3dcbeb80e580b47f7b1c.exe
4692	6ffa929ab7eb3dcbeb80e580b47f7b1c.exe
4692	6ffa929ab7eb3dcbeb80e580b47f7b1c.exe
4692	6ffa929ab7eb3dcbeb80e580b47f7b1c.exe
4692	6ffa929ab7eb3dcbeb80e580b47f7b1c.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
4692	6ffa929ab7eb3dcbeb80e580b47f7b1c.exe
4692	6ffa929ab7eb3dcbeb80e580b47f7b1c.exe
4692	6ffa929ab7eb3dcbeb80e580b47f7b1c.exe
4692	6ffa929ab7eb3dcbeb80e580b47f7b1c.exe
4692	6ffa929ab7eb3dcbeb80e580b47f7b1c.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 2868	4692	6ffa929ab7eb3dcbeb80e580b47f7b1c.exe	86
PID 4692 wrote to memory of 2868	4692	6ffa929ab7eb3dcbeb80e580b47f7b1c.exe	86
PID 4692 wrote to memory of 2868	4692	6ffa929ab7eb3dcbeb80e580b47f7b1c.exe	86
PID 2868 wrote to memory of 4108	2868	cmd.exe	89
PID 2868 wrote to memory of 4108	2868	cmd.exe	89
PID 2868 wrote to memory of 4108	2868	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\6ffa929ab7eb3dcbeb80e580b47f7b1c.exe
"C:\Users\Admin\AppData\Local\Temp\6ffa929ab7eb3dcbeb80e580b47f7b1c.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SC_VNC_Temp_Files\winvnc.cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Users\Admin\AppData\Local\Temp\SC_VNC_Temp_Files\winvnc.exe
    winvnc.exe
    3⤵
    - Executes dropped EXE
    PID:4108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SC_VNC_Temp_Files\helpdesk.txt

Filesize
1KB

MD5
b00031e2ef9660cefd8a5080d15db187

SHA1
b111d5a3d7df36acc7420b9d6f38d0711fe3f937

SHA256
b5cc26dabeb974e03813439af465111725d26026bba21eee55a1d50bb5ad3ba4

SHA512
31e606733fb415985ea3b9fb5f20802d63bee6b69d04653bacdaceaaefb23d8b1465c0c5ab95f94a1fadad4469c2a23745a996fcbfcb7ebb0129f16230f991c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SC_VNC_Temp_Files\logo.bmp

Filesize
103KB

MD5
ad43a1dd558632c6dbb712f46ec73db1

SHA1
14ed987dcc1adf2137bbab5a6eb87ce8b5ed822f

SHA256
7404e653037552a4861f4178ec7769014e94f71431021f870b9c844026d5906a

SHA512
1f1b986d80cb2ba2f2af682bd114bc082d983e9ece8ff2fa732b54b80b22c246920d90c6df5a9b3b5afc27b3f30b5573d11decbb4815266053614743fec4eb54

Download Submit
C:\Users\Admin\AppData\Local\Temp\SC_VNC_Temp_Files\winvnc.cmd

Filesize
2KB

MD5
c18af84528b187cfc0810123a9894400

SHA1
c6ab33a9f0154783fb606bb945498eb6a4fc9347

SHA256
845856f8fd2fca8676086b424f3fb681063470af0b5aae5a0fd6b2f60fdce5d9

SHA512
1981ef2a2b093980ba70c786f421c13db0f2d917f4889a6ef3b79bca53168ca0e3c3e516e6bbc5758f71a7c00f68464f39d302f8c544262272f401cf45787e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SC_VNC_Temp_Files\winvnc.exe

Filesize
244KB

MD5
1cc077ecea12e9b484112d897da74a3b

SHA1
7fef071f41ddd1895b2723f9a526f53b6cd681c7

SHA256
db904b423b5b4b0a15a8c39851449a7f2a8271f318374ce2d6618cfab07b096f

SHA512
6cfc612f34170fc409969fff8f2ad3352b71c9d06c389276d0d7f01fcd3e4684c6016c7860fed6d020ad9713aaf86a9076719189047b8cf3e0d0d054718c23e4

Download Submit
memory/4692-0-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4692-46-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download