88b25267ac7663036ed496320a0d57c07440b1ac4510c6591cd1449d0b4afd99

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e81c5b134659bff81679e84edf4cb25.exe
Size

14KB
MD5

8e81c5b134659bff81679e84edf4cb25
SHA1

5a245cc1c446cfc2fe4a8df4cd483a79e912e0ef
SHA256

88b25267ac7663036ed496320a0d57c07440b1ac4510c6591cd1449d0b4afd99
SHA512

80521bf366d9016c4786596e8a19a8b9fa65047d05dd1195d4548408d33ff4f846db68d14b66261e3092f3b7deb95213c1925506cd77bd2457264aea319834db
SSDEEP

384:8PEFCpcGo9nAH+yCAJti30/yGHxXUPk3DqSG0J:sZcR9AHBCEtiEaGHxkPADqP

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Deletes itself 1 IoCs

pid	Process
2572	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2736	wllamek.exe

Loads dropped DLL 2 IoCs

pid	Process
2440	8e81c5b134659bff81679e84edf4cb25.exe
2440	8e81c5b134659bff81679e84edf4cb25.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2440-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x000d000000012353-3.dat	upx
behavioral1/memory/2736-11-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2440-12-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wllame.dll	8e81c5b134659bff81679e84edf4cb25.exe
File created	C:\Windows\SysWOW64\wllamek.exe	8e81c5b134659bff81679e84edf4cb25.exe
File opened for modification	C:\Windows\SysWOW64\wllamek.exe	8e81c5b134659bff81679e84edf4cb25.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2736	2440	8e81c5b134659bff81679e84edf4cb25.exe	28
PID 2440 wrote to memory of 2736	2440	8e81c5b134659bff81679e84edf4cb25.exe	28
PID 2440 wrote to memory of 2736	2440	8e81c5b134659bff81679e84edf4cb25.exe	28
PID 2440 wrote to memory of 2736	2440	8e81c5b134659bff81679e84edf4cb25.exe	28
PID 2440 wrote to memory of 2572	2440	8e81c5b134659bff81679e84edf4cb25.exe	29
PID 2440 wrote to memory of 2572	2440	8e81c5b134659bff81679e84edf4cb25.exe	29
PID 2440 wrote to memory of 2572	2440	8e81c5b134659bff81679e84edf4cb25.exe	29
PID 2440 wrote to memory of 2572	2440	8e81c5b134659bff81679e84edf4cb25.exe	29

C:\Users\Admin\AppData\Local\Temp\8e81c5b134659bff81679e84edf4cb25.exe
"C:\Users\Admin\AppData\Local\Temp\8e81c5b134659bff81679e84edf4cb25.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\SysWOW64\wllamek.exe
  C:\Windows\system32\wllamek.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\8e81c5b134659bff81679e84edf4cb25.exe.bat
  2⤵
  - Deletes itself
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8e81c5b134659bff81679e84edf4cb25.exe.bat

Filesize
182B

MD5
d5cc43c1bd98320526e4432ebf30aa5b

SHA1
eb040d4756e48e573586addfeae32c76df1ec262

SHA256
75a8652a59b920c07104ad3358a845389d19b4af5da9cc307e09bbe84c63b963

SHA512
5c0b5924802b5e144fcd0f4e1218054da79272dcf677c8732e070fac66b7059c193ce116c16596115b681b79fe11f48bcf9edf91c0ddbf91b1960a207d69fb64

Download Submit
\Windows\SysWOW64\wllamek.exe

Filesize
14KB

MD5
8e81c5b134659bff81679e84edf4cb25

SHA1
5a245cc1c446cfc2fe4a8df4cd483a79e912e0ef

SHA256
88b25267ac7663036ed496320a0d57c07440b1ac4510c6591cd1449d0b4afd99

SHA512
80521bf366d9016c4786596e8a19a8b9fa65047d05dd1195d4548408d33ff4f846db68d14b66261e3092f3b7deb95213c1925506cd77bd2457264aea319834db

Download Submit
memory/2440-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2440-10-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2440-12-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2440-16-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2736-11-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download