7f7264d729ee6fe7ad3c6af612f91a6b5164ece76f2f656f14dc0c4b13016078

Analysis

max time kernel
153s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2024, 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f7264d729ee6fe7ad3c6af612f91a6b5164ece76f2f656f14dc0c4b13016078.exe
Size

2.9MB
MD5

764d7aabdc9bb40bc6da133bf18895fb
SHA1

1881c9c58e179c11c53b47651425730b4199a622
SHA256

7f7264d729ee6fe7ad3c6af612f91a6b5164ece76f2f656f14dc0c4b13016078
SHA512

18f6f539625353e647d7d5b29aa867418cc8baa34f85eeca5e0ea8da77474c7e7aae697154a746e54981480632d921943518c82a9447b1e2d2f8a5c0d5bde282
SSDEEP

49152:Z/mU/ohubcvjouXcmB+u+p/0e4SkBsXt2fD8DWA+b1aVe//eo1t+hCbDeDb+iMRp:Z+S9bgjzXcmj+pMe4vs90D6+2eptksSM

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1080-0-0x00000000002A0000-0x00000000008A9000-memory.dmp	upx
behavioral2/memory/1080-1-0x00000000002A0000-0x00000000008A9000-memory.dmp	upx
behavioral2/memory/1080-7-0x00000000002A0000-0x00000000008A9000-memory.dmp	upx
behavioral2/memory/1080-8-0x00000000002A0000-0x00000000008A9000-memory.dmp	upx
behavioral2/memory/1080-9-0x00000000002A0000-0x00000000008A9000-memory.dmp	upx
behavioral2/memory/1080-11-0x00000000002A0000-0x00000000008A9000-memory.dmp	upx
behavioral2/memory/1080-12-0x00000000002A0000-0x00000000008A9000-memory.dmp	upx
behavioral2/memory/1080-13-0x00000000002A0000-0x00000000008A9000-memory.dmp	upx
behavioral2/memory/1080-14-0x00000000002A0000-0x00000000008A9000-memory.dmp	upx
behavioral2/memory/1080-15-0x00000000002A0000-0x00000000008A9000-memory.dmp	upx
behavioral2/memory/1080-16-0x00000000002A0000-0x00000000008A9000-memory.dmp	upx
behavioral2/memory/1080-17-0x00000000002A0000-0x00000000008A9000-memory.dmp	upx
behavioral2/memory/1080-18-0x00000000002A0000-0x00000000008A9000-memory.dmp	upx
behavioral2/memory/1080-19-0x00000000002A0000-0x00000000008A9000-memory.dmp	upx
behavioral2/memory/1080-20-0x00000000002A0000-0x00000000008A9000-memory.dmp	upx
behavioral2/memory/1080-21-0x00000000002A0000-0x00000000008A9000-memory.dmp	upx
behavioral2/memory/1080-22-0x00000000002A0000-0x00000000008A9000-memory.dmp	upx

AutoIT Executable 16 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1080-1-0x00000000002A0000-0x00000000008A9000-memory.dmp	autoit_exe
behavioral2/memory/1080-7-0x00000000002A0000-0x00000000008A9000-memory.dmp	autoit_exe
behavioral2/memory/1080-8-0x00000000002A0000-0x00000000008A9000-memory.dmp	autoit_exe
behavioral2/memory/1080-9-0x00000000002A0000-0x00000000008A9000-memory.dmp	autoit_exe
behavioral2/memory/1080-11-0x00000000002A0000-0x00000000008A9000-memory.dmp	autoit_exe
behavioral2/memory/1080-12-0x00000000002A0000-0x00000000008A9000-memory.dmp	autoit_exe
behavioral2/memory/1080-13-0x00000000002A0000-0x00000000008A9000-memory.dmp	autoit_exe
behavioral2/memory/1080-14-0x00000000002A0000-0x00000000008A9000-memory.dmp	autoit_exe
behavioral2/memory/1080-15-0x00000000002A0000-0x00000000008A9000-memory.dmp	autoit_exe
behavioral2/memory/1080-16-0x00000000002A0000-0x00000000008A9000-memory.dmp	autoit_exe
behavioral2/memory/1080-17-0x00000000002A0000-0x00000000008A9000-memory.dmp	autoit_exe
behavioral2/memory/1080-18-0x00000000002A0000-0x00000000008A9000-memory.dmp	autoit_exe
behavioral2/memory/1080-19-0x00000000002A0000-0x00000000008A9000-memory.dmp	autoit_exe
behavioral2/memory/1080-20-0x00000000002A0000-0x00000000008A9000-memory.dmp	autoit_exe
behavioral2/memory/1080-21-0x00000000002A0000-0x00000000008A9000-memory.dmp	autoit_exe
behavioral2/memory/1080-22-0x00000000002A0000-0x00000000008A9000-memory.dmp	autoit_exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1080	7f7264d729ee6fe7ad3c6af612f91a6b5164ece76f2f656f14dc0c4b13016078.exe
1080	7f7264d729ee6fe7ad3c6af612f91a6b5164ece76f2f656f14dc0c4b13016078.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1080	7f7264d729ee6fe7ad3c6af612f91a6b5164ece76f2f656f14dc0c4b13016078.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3676	WMIC.exe
Token: SeSecurityPrivilege	3676	WMIC.exe
Token: SeTakeOwnershipPrivilege	3676	WMIC.exe
Token: SeLoadDriverPrivilege	3676	WMIC.exe
Token: SeSystemProfilePrivilege	3676	WMIC.exe
Token: SeSystemtimePrivilege	3676	WMIC.exe
Token: SeProfSingleProcessPrivilege	3676	WMIC.exe
Token: SeIncBasePriorityPrivilege	3676	WMIC.exe
Token: SeCreatePagefilePrivilege	3676	WMIC.exe
Token: SeBackupPrivilege	3676	WMIC.exe
Token: SeRestorePrivilege	3676	WMIC.exe
Token: SeShutdownPrivilege	3676	WMIC.exe
Token: SeDebugPrivilege	3676	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3676	WMIC.exe
Token: SeRemoteShutdownPrivilege	3676	WMIC.exe
Token: SeUndockPrivilege	3676	WMIC.exe
Token: SeManageVolumePrivilege	3676	WMIC.exe
Token: 33	3676	WMIC.exe
Token: 34	3676	WMIC.exe
Token: 35	3676	WMIC.exe
Token: 36	3676	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3676	WMIC.exe
Token: SeSecurityPrivilege	3676	WMIC.exe
Token: SeTakeOwnershipPrivilege	3676	WMIC.exe
Token: SeLoadDriverPrivilege	3676	WMIC.exe
Token: SeSystemProfilePrivilege	3676	WMIC.exe
Token: SeSystemtimePrivilege	3676	WMIC.exe
Token: SeProfSingleProcessPrivilege	3676	WMIC.exe
Token: SeIncBasePriorityPrivilege	3676	WMIC.exe
Token: SeCreatePagefilePrivilege	3676	WMIC.exe
Token: SeBackupPrivilege	3676	WMIC.exe
Token: SeRestorePrivilege	3676	WMIC.exe
Token: SeShutdownPrivilege	3676	WMIC.exe
Token: SeDebugPrivilege	3676	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3676	WMIC.exe
Token: SeRemoteShutdownPrivilege	3676	WMIC.exe
Token: SeUndockPrivilege	3676	WMIC.exe
Token: SeManageVolumePrivilege	3676	WMIC.exe
Token: 33	3676	WMIC.exe
Token: 34	3676	WMIC.exe
Token: 35	3676	WMIC.exe
Token: 36	3676	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4644	WMIC.exe
Token: SeSecurityPrivilege	4644	WMIC.exe
Token: SeTakeOwnershipPrivilege	4644	WMIC.exe
Token: SeLoadDriverPrivilege	4644	WMIC.exe
Token: SeSystemProfilePrivilege	4644	WMIC.exe
Token: SeSystemtimePrivilege	4644	WMIC.exe
Token: SeProfSingleProcessPrivilege	4644	WMIC.exe
Token: SeIncBasePriorityPrivilege	4644	WMIC.exe
Token: SeCreatePagefilePrivilege	4644	WMIC.exe
Token: SeBackupPrivilege	4644	WMIC.exe
Token: SeRestorePrivilege	4644	WMIC.exe
Token: SeShutdownPrivilege	4644	WMIC.exe
Token: SeDebugPrivilege	4644	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4644	WMIC.exe
Token: SeRemoteShutdownPrivilege	4644	WMIC.exe
Token: SeUndockPrivilege	4644	WMIC.exe
Token: SeManageVolumePrivilege	4644	WMIC.exe
Token: 33	4644	WMIC.exe
Token: 34	4644	WMIC.exe
Token: 35	4644	WMIC.exe
Token: 36	4644	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4644	WMIC.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 3736	1080	7f7264d729ee6fe7ad3c6af612f91a6b5164ece76f2f656f14dc0c4b13016078.exe	88
PID 1080 wrote to memory of 3736	1080	7f7264d729ee6fe7ad3c6af612f91a6b5164ece76f2f656f14dc0c4b13016078.exe	88
PID 3736 wrote to memory of 3676	3736	cmd.exe	90
PID 3736 wrote to memory of 3676	3736	cmd.exe	90
PID 1080 wrote to memory of 652	1080	7f7264d729ee6fe7ad3c6af612f91a6b5164ece76f2f656f14dc0c4b13016078.exe	92
PID 1080 wrote to memory of 652	1080	7f7264d729ee6fe7ad3c6af612f91a6b5164ece76f2f656f14dc0c4b13016078.exe	92
PID 652 wrote to memory of 4644	652	cmd.exe	94
PID 652 wrote to memory of 4644	652	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\7f7264d729ee6fe7ad3c6af612f91a6b5164ece76f2f656f14dc0c4b13016078.exe
"C:\Users\Admin\AppData\Local\Temp\7f7264d729ee6fe7ad3c6af612f91a6b5164ece76f2f656f14dc0c4b13016078.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic OS get OperatingSystemSKU /value >sku.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic OS get OperatingSystemSKU /value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_OperatingSystem get BuildNumber /value >Number.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:652
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_OperatingSystem get BuildNumber /value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Number.txt

Filesize
56B

MD5
8ed84db74f23eedfdfb8695036a0a731

SHA1
7daed03b17fb7e6c27b50daf02a2e9b9c0181bde

SHA256
549efcfad478003af8a3135b11a26319a178408956f1f3adf81b10e28d4d9f94

SHA512
a63807d7a83c5012386106efd3a6a2cc07fde57dd9b62d8d4ebb2ebd68376191cb06c5fdeb5b789d5477ae1be44cf67dcfa9cd2be53eceb263be4a6e792a6cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sku.txt

Filesize
64B

MD5
0c9b59ed6f6a729ddc7e56a16161cde5

SHA1
c3de4a971129971564a72827275766e073f508c3

SHA256
5dee3ffcf55c48107674dbaf8a4f7bcaa2cf162b517b043c9dbb63123a229a63

SHA512
d769951cb40d1d06a131636202971b887eaa1ab96f97ed94eeb9dae331bb5224f17f90c33e0ea3f109134b1a18220a57840fdafa569317f65d23b86d45cf1003

Download Submit
memory/1080-12-0x00000000002A0000-0x00000000008A9000-memory.dmp

Filesize
6.0MB

Download
memory/1080-13-0x00000000002A0000-0x00000000008A9000-memory.dmp

Filesize
6.0MB

Download
memory/1080-1-0x00000000002A0000-0x00000000008A9000-memory.dmp

Filesize
6.0MB

Download
memory/1080-7-0x00000000002A0000-0x00000000008A9000-memory.dmp

Filesize
6.0MB

Download
memory/1080-8-0x00000000002A0000-0x00000000008A9000-memory.dmp

Filesize
6.0MB

Download
memory/1080-9-0x00000000002A0000-0x00000000008A9000-memory.dmp

Filesize
6.0MB

Download
memory/1080-10-0x0000000003C90000-0x0000000003C92000-memory.dmp

Filesize
8KB

Download
memory/1080-11-0x00000000002A0000-0x00000000008A9000-memory.dmp

Filesize
6.0MB

Download
memory/1080-0-0x00000000002A0000-0x00000000008A9000-memory.dmp

Filesize
6.0MB

Download
memory/1080-2-0x0000000003C90000-0x0000000003C92000-memory.dmp

Filesize
8KB

Download
memory/1080-14-0x00000000002A0000-0x00000000008A9000-memory.dmp

Filesize
6.0MB

Download
memory/1080-15-0x00000000002A0000-0x00000000008A9000-memory.dmp

Filesize
6.0MB

Download
memory/1080-16-0x00000000002A0000-0x00000000008A9000-memory.dmp

Filesize
6.0MB

Download
memory/1080-17-0x00000000002A0000-0x00000000008A9000-memory.dmp

Filesize
6.0MB

Download
memory/1080-18-0x00000000002A0000-0x00000000008A9000-memory.dmp

Filesize
6.0MB

Download
memory/1080-19-0x00000000002A0000-0x00000000008A9000-memory.dmp

Filesize
6.0MB

Download
memory/1080-20-0x00000000002A0000-0x00000000008A9000-memory.dmp

Filesize
6.0MB

Download
memory/1080-21-0x00000000002A0000-0x00000000008A9000-memory.dmp

Filesize
6.0MB

Download
memory/1080-22-0x00000000002A0000-0x00000000008A9000-memory.dmp

Filesize
6.0MB

Download