cb6c5815d9ea43cb0ef5513cf0fd8e73fcca5b08b030486ee047a6b4fc443865

Analysis

max time kernel
107s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 20:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

785c1f01a4a0df2e99f5baf57a2bed83.exe
Size

295KB
MD5

785c1f01a4a0df2e99f5baf57a2bed83
SHA1

5c22dc4bd0d820e7d2a48791729464f63fe215d5
SHA256

cb6c5815d9ea43cb0ef5513cf0fd8e73fcca5b08b030486ee047a6b4fc443865
SHA512

4c306c04ffc556eab7728e84bca52bcbf0157a0b509f774a8047fd0fb2508d7f00ddf670326c446ed02bbf74b047e217a080d7ce6dab4168bab55d0f828d079f
SSDEEP

6144:pTtETjaBZgCtOROVtQlYyWKaV4Pd0I1jfBynfQeMWk:hBvIwt5yWKPjGfM

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
880	services.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1436-0-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/880-6-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/files/0x000d000000023151-5.dat	upx
behavioral2/files/0x000d000000023151-4.dat	upx
behavioral2/memory/1436-10-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/880-12-0x0000000000400000-0x00000000004C8000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	785c1f01a4a0df2e99f5baf57a2bed83.exe
File opened for modification	C:\Windows\services.exe	785c1f01a4a0df2e99f5baf57a2bed83.exe
File created	C:\Windows\uninstal.bat	785c1f01a4a0df2e99f5baf57a2bed83.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1436	785c1f01a4a0df2e99f5baf57a2bed83.exe
Token: SeDebugPrivilege	880	services.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
880	services.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 4016	880	services.exe	88
PID 880 wrote to memory of 4016	880	services.exe	88
PID 1436 wrote to memory of 4076	1436	785c1f01a4a0df2e99f5baf57a2bed83.exe	93
PID 1436 wrote to memory of 4076	1436	785c1f01a4a0df2e99f5baf57a2bed83.exe	93
PID 1436 wrote to memory of 4076	1436	785c1f01a4a0df2e99f5baf57a2bed83.exe	93

C:\Users\Admin\AppData\Local\Temp\785c1f01a4a0df2e99f5baf57a2bed83.exe
"C:\Users\Admin\AppData\Local\Temp\785c1f01a4a0df2e99f5baf57a2bed83.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:4076

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
1⤵
PID:4016

C:\Windows\services.exe
C:\Windows\services.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:880

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\services.exe

Filesize
209KB

MD5
612713b54fe67973c0388ea125d8f8da

SHA1
a12188c73d0ad66d1bd6b661ec90575cb9f10a6a

SHA256
7dfd352eaf5aed697349882b47adf09fd3c577fd88325b1269f0a41f270e3ae5

SHA512
7480af4c1341ccc6d197352af43da9f9b4e8c7cad3e4258c3b6c55a1b7a5c03177a38da6fd9eee749ff5920a58128b03683ac4746de43d11feabc40567c5fe74

Download Submit
C:\Windows\services.exe

Filesize
136KB

MD5
e7b95f042edc44053535119914792e7b

SHA1
ecc0b9e1a2f27d3a1998bfc6784d45e2de16ba85

SHA256
64b2bd5deca22476449e472f7b754c3d699f19b346a84f9dfecaf6ab78a0c8de

SHA512
6036309001cdacedbb5dc94e34989aa2a53ba24c7a268ae30d536af655969f6f5a05ea44a3e3d2475d22f6361d79d0078b8ab94a2f9e90b3f6f61a71095eb3e6

Download Submit
C:\Windows\uninstal.bat

Filesize
190B

MD5
dff1ba03d020eef94c0d1451ed85fb2a

SHA1
32ece8745b1ee141af7d40937bc6e90dfdb6d770

SHA256
2d8a34fb9b7e9797fb915f55052fc5367e32152504e04e30bede66d5476f1fd5

SHA512
17d0b0d3f509bd8cf8ca121c4cd41c05e887ca55a5cc13cfc244b5bd888565f67437148e6e2c672a268b2ecc04794396da2cec1c5d4cb7748ae1607d48e4f8de

Download Submit
memory/880-7-0x0000000001420000-0x0000000001421000-memory.dmp

Filesize
4KB

Download
memory/880-6-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/880-12-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/880-13-0x0000000001420000-0x0000000001421000-memory.dmp

Filesize
4KB

Download
memory/1436-0-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1436-1-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/1436-10-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download