d71b0c0492be6df24ffb7a6a822424e4e1965c5de4f3d7db4ea70e0f784fc7e5

Analysis

max time kernel
143s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 08:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a16042ae8cd95eb562ed7b79eed8fd41.exe
Size

366KB
MD5

a16042ae8cd95eb562ed7b79eed8fd41
SHA1

4e936ee0b53b0685bd816cde7fc62e4d864167c8
SHA256

d71b0c0492be6df24ffb7a6a822424e4e1965c5de4f3d7db4ea70e0f784fc7e5
SHA512

2ae54aae21662b5973c6699e54b66bfbe08a453dfe3e5c6b85a0df1e433e60aac480807cbce5cd2f794bb2d48b67aa4cdbd2ffbff1050cfe5c5adae155889157
SSDEEP

6144:VYBxCXOOThrBLhClZ/EL/lY9FlUAxHfzHCUs5ttqX/hYbxtt97JuvqraMjCr:VQxj4JLSEL/l6UAtiluWvMCWMWr

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1452	gIh10601gFkKm10601.exe

Executes dropped EXE 2 IoCs

pid	Process
3772	gIh10601gFkKm10601.exe
1452	gIh10601gFkKm10601.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2072-1-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral2/memory/2072-22-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral2/memory/3772-31-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral2/memory/1452-32-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral2/memory/1452-37-0x0000000000400000-0x00000000004CB000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4348	1452	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2072	a16042ae8cd95eb562ed7b79eed8fd41.exe
2072	a16042ae8cd95eb562ed7b79eed8fd41.exe
2072	a16042ae8cd95eb562ed7b79eed8fd41.exe
2072	a16042ae8cd95eb562ed7b79eed8fd41.exe
2072	a16042ae8cd95eb562ed7b79eed8fd41.exe
2072	a16042ae8cd95eb562ed7b79eed8fd41.exe
2072	a16042ae8cd95eb562ed7b79eed8fd41.exe
2072	a16042ae8cd95eb562ed7b79eed8fd41.exe
2072	a16042ae8cd95eb562ed7b79eed8fd41.exe
2072	a16042ae8cd95eb562ed7b79eed8fd41.exe
2072	a16042ae8cd95eb562ed7b79eed8fd41.exe
2072	a16042ae8cd95eb562ed7b79eed8fd41.exe
2072	a16042ae8cd95eb562ed7b79eed8fd41.exe
2072	a16042ae8cd95eb562ed7b79eed8fd41.exe
3772	gIh10601gFkKm10601.exe
3772	gIh10601gFkKm10601.exe
3772	gIh10601gFkKm10601.exe
3772	gIh10601gFkKm10601.exe
3772	gIh10601gFkKm10601.exe
3772	gIh10601gFkKm10601.exe
3772	gIh10601gFkKm10601.exe
3772	gIh10601gFkKm10601.exe
3772	gIh10601gFkKm10601.exe
3772	gIh10601gFkKm10601.exe
3772	gIh10601gFkKm10601.exe
3772	gIh10601gFkKm10601.exe
3772	gIh10601gFkKm10601.exe
3772	gIh10601gFkKm10601.exe
1452	gIh10601gFkKm10601.exe
1452	gIh10601gFkKm10601.exe
3772	gIh10601gFkKm10601.exe
3772	gIh10601gFkKm10601.exe
1452	gIh10601gFkKm10601.exe
1452	gIh10601gFkKm10601.exe
3772	gIh10601gFkKm10601.exe
3772	gIh10601gFkKm10601.exe
1452	gIh10601gFkKm10601.exe
1452	gIh10601gFkKm10601.exe
1452	gIh10601gFkKm10601.exe
1452	gIh10601gFkKm10601.exe
1452	gIh10601gFkKm10601.exe
1452	gIh10601gFkKm10601.exe
1452	gIh10601gFkKm10601.exe
1452	gIh10601gFkKm10601.exe
1452	gIh10601gFkKm10601.exe
1452	gIh10601gFkKm10601.exe
1452	gIh10601gFkKm10601.exe
1452	gIh10601gFkKm10601.exe
1452	gIh10601gFkKm10601.exe
1452	gIh10601gFkKm10601.exe
1452	gIh10601gFkKm10601.exe
1452	gIh10601gFkKm10601.exe
1452	gIh10601gFkKm10601.exe
1452	gIh10601gFkKm10601.exe
1452	gIh10601gFkKm10601.exe
1452	gIh10601gFkKm10601.exe
1452	gIh10601gFkKm10601.exe
1452	gIh10601gFkKm10601.exe
1452	gIh10601gFkKm10601.exe
1452	gIh10601gFkKm10601.exe
1452	gIh10601gFkKm10601.exe
1452	gIh10601gFkKm10601.exe
1452	gIh10601gFkKm10601.exe
1452	gIh10601gFkKm10601.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2072	a16042ae8cd95eb562ed7b79eed8fd41.exe
Token: SeDebugPrivilege	3772	gIh10601gFkKm10601.exe
Token: SeDebugPrivilege	1452	gIh10601gFkKm10601.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 3772	2072	a16042ae8cd95eb562ed7b79eed8fd41.exe	87
PID 2072 wrote to memory of 3772	2072	a16042ae8cd95eb562ed7b79eed8fd41.exe	87
PID 2072 wrote to memory of 3772	2072	a16042ae8cd95eb562ed7b79eed8fd41.exe	87
PID 2072 wrote to memory of 1452	2072	a16042ae8cd95eb562ed7b79eed8fd41.exe	88
PID 2072 wrote to memory of 1452	2072	a16042ae8cd95eb562ed7b79eed8fd41.exe	88
PID 2072 wrote to memory of 1452	2072	a16042ae8cd95eb562ed7b79eed8fd41.exe	88

C:\Users\Admin\AppData\Local\Temp\a16042ae8cd95eb562ed7b79eed8fd41.exe
"C:\Users\Admin\AppData\Local\Temp\a16042ae8cd95eb562ed7b79eed8fd41.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072
- C:\ProgramData\gIh10601gFkKm10601\gIh10601gFkKm10601.exe
  "C:\ProgramData\gIh10601gFkKm10601\gIh10601gFkKm10601.exe" BOMBARDAMAXIMUM
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3772
- C:\ProgramData\gIh10601gFkKm10601\gIh10601gFkKm10601.exe
  "C:\ProgramData\gIh10601gFkKm10601\gIh10601gFkKm10601.exe" "C:\Users\Admin\AppData\Local\Temp\a16042ae8cd95eb562ed7b79eed8fd41.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1452
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 1388
    3⤵
    - Program crash
    PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1452 -ip 1452
1⤵
PID:2360

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\gIh10601gFkKm10601\gIh10601gFkKm10601

Filesize
192B

MD5
ea1916f6e9dadd38f2237cd901f76e9a

SHA1
55a689b889ac14b532175629a5c3831eb90ac954

SHA256
554e116dfd99aed0f8458442bca66e499734f5de4ca9f5ab6fea75a143d5426f

SHA512
aa8a7f4272bfea42d2e2abc87171d313faaa552c434b8b6951cccac7e2d6506edbd417a9098e55394909137b310944742994bf9fc1666e54e1e15662bdbc186a

Download Submit
C:\ProgramData\gIh10601gFkKm10601\gIh10601gFkKm10601.exe

Filesize
366KB

MD5
ec001b8b052b6a31bf62ea76ccac0272

SHA1
40259bc759d3fc3c0940117bc45cb4d1647822f5

SHA256
56060f97811ff4aa8133d18109f9213ef1e5dfd5b6c01f534b13c5ff1af9259a

SHA512
e53b17257ece112cb720f06816b4360bad3a7c63fa0b0c031a34397c2581f824ad890df5cd26d42e3344ea2263bf297fec7613a97b7ebdfe1220e2bb2552c146

Download Submit
memory/1452-24-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/1452-32-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1452-34-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/1452-37-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2072-1-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2072-2-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2072-22-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/3772-15-0x0000000000510000-0x0000000000610000-memory.dmp

Filesize
1024KB

Download
memory/3772-31-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download