018b4f92d8f761d17355ff52300f64c0fb15af50f8238d7c9e271b5017dc3fb8

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2024, 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7555f7f81564a10566b79e546f91b1f8.exe
Size

67KB
MD5

7555f7f81564a10566b79e546f91b1f8
SHA1

a51c0c07052a6c73c16ee5b7a3088e27ba0fdac7
SHA256

018b4f92d8f761d17355ff52300f64c0fb15af50f8238d7c9e271b5017dc3fb8
SHA512

cf1eca91c8a7a8a5b40e0176886198e248ccaf6a1c11030f75e998c0830fa42f5fb351893da63d7086fbf74822989f1976e26f2ab2ef2623c862810b5fbb6f63
SSDEEP

1536:LHp2tEWFuFlWRFuZSHH7Ni3pDwS5u5G2UMhz:LHpVGuFeH7NwpDwOu51UMhz

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
848	alg.exe

Loads dropped DLL 2 IoCs

pid	Process
4692	7555f7f81564a10566b79e546f91b1f8.exe
4692	7555f7f81564a10566b79e546f91b1f8.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4692-0-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4692-1-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x000700000002320e-4.dat	upx
behavioral2/files/0x0006000000023215-11.dat	upx
behavioral2/memory/848-13-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/848-15-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/4692-18-0x0000000000400000-0x0000000000430000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lk2sound.dll	7555f7f81564a10566b79e546f91b1f8.exe
File created	C:\Windows\SysWOW64\delmeml.bat	7555f7f81564a10566b79e546f91b1f8.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\alg.exe	7555f7f81564a10566b79e546f91b1f8.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
4692	7555f7f81564a10566b79e546f91b1f8.exe
652	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	4692	7555f7f81564a10566b79e546f91b1f8.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 5052	4692	7555f7f81564a10566b79e546f91b1f8.exe	88
PID 4692 wrote to memory of 5052	4692	7555f7f81564a10566b79e546f91b1f8.exe	88
PID 4692 wrote to memory of 5052	4692	7555f7f81564a10566b79e546f91b1f8.exe	88

C:\Users\Admin\AppData\Local\Temp\7555f7f81564a10566b79e546f91b1f8.exe
"C:\Users\Admin\AppData\Local\Temp\7555f7f81564a10566b79e546f91b1f8.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c delmeml.bat
  2⤵
  PID:5052

C:\Windows\alg.exe
C:\Windows\alg.exe
1⤵
- Executes dropped EXE
PID:848

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\delmeml.bat

Filesize
264B

MD5
29b1cfdb3e7c166f033766e10deea79b

SHA1
6376657e782a096568e0a238d511ffbc58b6c079

SHA256
eabaa4452d7301c14aefd6968cffcddf88134a8f3e6bbacc8414289ae1e2070c

SHA512
c0c15b19cbc3e2da70ba7b887ea0e623fae05424ef71af351ce703ac92d39272405831867e5faa9345097a6492aa81a298034dade0ed28c802957e79df95859b

Download Submit
C:\Windows\SysWOW64\lk2sound.dll

Filesize
34KB

MD5
a6a99d25d4c379976d57cc3a020cfdca

SHA1
10b763132be36c4b7f44539b129986b54208fbbb

SHA256
5ae2c357c7ed46dfbf707088c391618d0732db565e8f51beb537acada0ab93f8

SHA512
83118fef8ff3f82eb7ee81482d0c41f83c6ee1c7701cbc381ff0adf4ad0e2f371e1c48e8aa734a52cda6449f53aff6b8e991f9b6816a6b46b220f8ce505da42f

Download Submit
C:\Windows\alg.exe

Filesize
14KB

MD5
c999532eae3096c59cd03a9dee628a06

SHA1
8cd1f5a021fedd8ff11db1461bf24bb735f789e1

SHA256
3d3b00014770f4277649c8997422c4db27ea13fc501751148da5654dea4eeec5

SHA512
8b7bc81c5d28c877b354f1b08677a60860b8d76fbd392826e256cab1884e88f54b157f9d4dd57f9fdc982f02e125712c01f9fc47723aaf70c7db1aa4946fc0d7

Download Submit
memory/848-13-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/848-14-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/848-15-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/848-21-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/4692-2-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/4692-8-0x0000000000610000-0x0000000000635000-memory.dmp

Filesize
148KB

Download
memory/4692-9-0x0000000000610000-0x0000000000635000-memory.dmp

Filesize
148KB

Download
memory/4692-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4692-19-0x0000000000610000-0x0000000000617000-memory.dmp

Filesize
28KB

Download
memory/4692-18-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4692-1-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download