4c046796d14f6d096e48dfdf8b1aaef0f667e3817642daa504abf269df645152

Analysis

max time kernel
141s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14/02/2024, 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b9f13977cef00e01804a748606aabe4.exe
Size

781KB
MD5

9b9f13977cef00e01804a748606aabe4
SHA1

d88c295158aeef836a2875988b535333d98a2b59
SHA256

4c046796d14f6d096e48dfdf8b1aaef0f667e3817642daa504abf269df645152
SHA512

6fff6401d973f464410a2919ebf0e9ff8f5150ee9ff4633c99c994aa3c6826f39dfa6764c96ec2ec262952ec67ae11759cf0ddace446da98990b63b69d54f504
SSDEEP

12288:57+5+zW4gpZr2j9OW5AeS79b7bklD1LPavqhIkZuTI51Y2ODZRyjwKoAeHMH:NM+jUZw4W5AeS7Zo5ZavUIkZ+r0o7H

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1228	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1224	amdcpusetu.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2196-0-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/files/0x0009000000014abe-4.dat	upx
behavioral1/memory/1224-5-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2196-14-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1224-16-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1224-17-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1224-22-0x0000000000400000-0x00000000004CD000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\amdcpusetu.exe	9b9f13977cef00e01804a748606aabe4.exe
File opened for modification	C:\Windows\amdcpusetu.exe	9b9f13977cef00e01804a748606aabe4.exe
File created	C:\Windows\uninstal.baT	9b9f13977cef00e01804a748606aabe4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	9b9f13977cef00e01804a748606aabe4.exe
Token: SeDebugPrivilege	1224	amdcpusetu.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1224	amdcpusetu.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 1228	2196	9b9f13977cef00e01804a748606aabe4.exe	29
PID 2196 wrote to memory of 1228	2196	9b9f13977cef00e01804a748606aabe4.exe	29
PID 2196 wrote to memory of 1228	2196	9b9f13977cef00e01804a748606aabe4.exe	29
PID 2196 wrote to memory of 1228	2196	9b9f13977cef00e01804a748606aabe4.exe	29
PID 2196 wrote to memory of 1228	2196	9b9f13977cef00e01804a748606aabe4.exe	29
PID 2196 wrote to memory of 1228	2196	9b9f13977cef00e01804a748606aabe4.exe	29
PID 2196 wrote to memory of 1228	2196	9b9f13977cef00e01804a748606aabe4.exe	29

C:\Users\Admin\AppData\Local\Temp\9b9f13977cef00e01804a748606aabe4.exe
"C:\Users\Admin\AppData\Local\Temp\9b9f13977cef00e01804a748606aabe4.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.baT
  2⤵
  - Deletes itself
  PID:1228

C:\Windows\amdcpusetu.exe
C:\Windows\amdcpusetu.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1224

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\amdcpusetu.exe

Filesize
781KB

MD5
9b9f13977cef00e01804a748606aabe4

SHA1
d88c295158aeef836a2875988b535333d98a2b59

SHA256
4c046796d14f6d096e48dfdf8b1aaef0f667e3817642daa504abf269df645152

SHA512
6fff6401d973f464410a2919ebf0e9ff8f5150ee9ff4633c99c994aa3c6826f39dfa6764c96ec2ec262952ec67ae11759cf0ddace446da98990b63b69d54f504

Download Submit
C:\Windows\uninstal.baT

Filesize
190B

MD5
b17d5b975917915b85062054604123e6

SHA1
3d9af090461755e21752469a1089f96cf6a62f35

SHA256
1c413787c0df8b773f2fcac9f9fc70d43011d7cfe7543f74894b2cb31e8d614d

SHA512
e32a74c038453c277584d4a8ac65b289e53e96fb050b33bb40a35a31a1244712b2302a1ca01d411d5b6ee9688c221510951a817f722c84a07ea5ca5650e7a82a

Download Submit
memory/1224-5-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1224-6-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1224-16-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1224-17-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1224-18-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1224-22-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2196-0-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2196-1-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2196-14-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download