cb6c5815d9ea43cb0ef5513cf0fd8e73fcca5b08b030486ee047a6b4fc443865

Analysis

max time kernel
142s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 20:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

785c1f01a4a0df2e99f5baf57a2bed83.exe
Size

295KB
MD5

785c1f01a4a0df2e99f5baf57a2bed83
SHA1

5c22dc4bd0d820e7d2a48791729464f63fe215d5
SHA256

cb6c5815d9ea43cb0ef5513cf0fd8e73fcca5b08b030486ee047a6b4fc443865
SHA512

4c306c04ffc556eab7728e84bca52bcbf0157a0b509f774a8047fd0fb2508d7f00ddf670326c446ed02bbf74b047e217a080d7ce6dab4168bab55d0f828d079f
SSDEEP

6144:pTtETjaBZgCtOROVtQlYyWKaV4Pd0I1jfBynfQeMWk:hBvIwt5yWKPjGfM

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2848	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1172	services.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2096-0-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/files/0x000a000000012253-4.dat	upx
behavioral1/memory/1172-5-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/2096-15-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/1172-17-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/1172-18-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/1172-23-0x0000000000400000-0x00000000004C8000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	785c1f01a4a0df2e99f5baf57a2bed83.exe
File opened for modification	C:\Windows\services.exe	785c1f01a4a0df2e99f5baf57a2bed83.exe
File created	C:\Windows\uninstal.bat	785c1f01a4a0df2e99f5baf57a2bed83.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	785c1f01a4a0df2e99f5baf57a2bed83.exe
Token: SeDebugPrivilege	1172	services.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1172	services.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 2704	1172	services.exe	29
PID 1172 wrote to memory of 2704	1172	services.exe	29
PID 1172 wrote to memory of 2704	1172	services.exe	29
PID 1172 wrote to memory of 2704	1172	services.exe	29
PID 2096 wrote to memory of 2848	2096	785c1f01a4a0df2e99f5baf57a2bed83.exe	30
PID 2096 wrote to memory of 2848	2096	785c1f01a4a0df2e99f5baf57a2bed83.exe	30
PID 2096 wrote to memory of 2848	2096	785c1f01a4a0df2e99f5baf57a2bed83.exe	30
PID 2096 wrote to memory of 2848	2096	785c1f01a4a0df2e99f5baf57a2bed83.exe	30
PID 2096 wrote to memory of 2848	2096	785c1f01a4a0df2e99f5baf57a2bed83.exe	30
PID 2096 wrote to memory of 2848	2096	785c1f01a4a0df2e99f5baf57a2bed83.exe	30
PID 2096 wrote to memory of 2848	2096	785c1f01a4a0df2e99f5baf57a2bed83.exe	30

C:\Users\Admin\AppData\Local\Temp\785c1f01a4a0df2e99f5baf57a2bed83.exe
"C:\Users\Admin\AppData\Local\Temp\785c1f01a4a0df2e99f5baf57a2bed83.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:2848

C:\Windows\services.exe
C:\Windows\services.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2704

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\services.exe

Filesize
295KB

MD5
785c1f01a4a0df2e99f5baf57a2bed83

SHA1
5c22dc4bd0d820e7d2a48791729464f63fe215d5

SHA256
cb6c5815d9ea43cb0ef5513cf0fd8e73fcca5b08b030486ee047a6b4fc443865

SHA512
4c306c04ffc556eab7728e84bca52bcbf0157a0b509f774a8047fd0fb2508d7f00ddf670326c446ed02bbf74b047e217a080d7ce6dab4168bab55d0f828d079f

Download Submit
C:\Windows\uninstal.bat

Filesize
190B

MD5
dff1ba03d020eef94c0d1451ed85fb2a

SHA1
32ece8745b1ee141af7d40937bc6e90dfdb6d770

SHA256
2d8a34fb9b7e9797fb915f55052fc5367e32152504e04e30bede66d5476f1fd5

SHA512
17d0b0d3f509bd8cf8ca121c4cd41c05e887ca55a5cc13cfc244b5bd888565f67437148e6e2c672a268b2ecc04794396da2cec1c5d4cb7748ae1607d48e4f8de

Download Submit
memory/1172-5-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1172-6-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1172-17-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1172-18-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1172-19-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1172-23-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2096-0-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2096-1-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2096-15-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download