e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/02/2024, 05:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe
Size

5.3MB
MD5

ae76f1c06a464eb4d2b176a6a5a873a6
SHA1

69b44fcbd5ac41e12733ae1d9b4807c51af0e90a
SHA256

e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5
SHA512

c81b2e7d9e3b980b891a4ca181536437643ba6a00af01b79a4924880a26005f41705a511387c3c0909eedc8fcec25c62466db45c6402247201ae9fadb37ce987
SSDEEP

98304:9w+EGV4bm55hqi9cNlqw/2syqHOnqlMFFXULmaI58FDyXSb29+0RvNWHrMPseF7:9BEGV4s5hNy5OnsMFBmdh9b29+q0rMP

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2636	sg.tmp
2516	AutoSnapShot.exe

Loads dropped DLL 2 IoCs

pid	Process
2292	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe
2292	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2292-0-0x0000000000400000-0x000000000056C000-memory.dmp	upx
behavioral1/memory/3032-8-0x0000000000400000-0x000000000056C000-memory.dmp	upx
behavioral1/memory/3032-10-0x0000000000400000-0x000000000056C000-memory.dmp	upx
behavioral1/memory/2292-34-0x0000000002DB0000-0x0000000002E6A000-memory.dmp	upx
behavioral1/files/0x00080000000126c7-33.dat	upx
behavioral1/memory/2516-35-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2516-48-0x0000000002150000-0x0000000002160000-memory.dmp	upx
behavioral1/memory/2292-66-0x0000000000400000-0x000000000056C000-memory.dmp	upx
behavioral1/memory/2292-69-0x0000000000400000-0x000000000056C000-memory.dmp	upx
behavioral1/memory/2516-70-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2516-71-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2516-76-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2516-83-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2516-85-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2516-87-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2516-90-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2516-92-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2516-94-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2516-96-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2516-98-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2516-100-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2516-102-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2516-104-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2516-106-0x0000000000400000-0x00000000004BA000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeBackupPrivilege	2292	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe
Token: SeRestorePrivilege	2292	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe
Token: 33	2292	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe
Token: SeIncBasePriorityPrivilege	2292	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe
Token: SeCreateGlobalPrivilege	2292	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe
Token: 33	2292	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe
Token: SeIncBasePriorityPrivilege	2292	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe
Token: 33	2292	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe
Token: SeIncBasePriorityPrivilege	2292	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe
Token: SeBackupPrivilege	3032	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe
Token: SeRestorePrivilege	3032	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe
Token: 33	3032	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe
Token: SeIncBasePriorityPrivilege	3032	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe
Token: 33	2292	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe
Token: SeIncBasePriorityPrivilege	2292	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe
Token: SeRestorePrivilege	2636	sg.tmp
Token: 35	2636	sg.tmp
Token: SeSecurityPrivilege	2636	sg.tmp
Token: SeSecurityPrivilege	2636	sg.tmp
Token: 33	2292	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe
Token: SeIncBasePriorityPrivilege	2292	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe
Token: SeBackupPrivilege	2516	AutoSnapShot.exe
Token: SeRestorePrivilege	2516	AutoSnapShot.exe
Token: 33	2516	AutoSnapShot.exe
Token: SeIncBasePriorityPrivilege	2516	AutoSnapShot.exe
Token: 33	2516	AutoSnapShot.exe
Token: SeIncBasePriorityPrivilege	2516	AutoSnapShot.exe
Token: 33	2516	AutoSnapShot.exe
Token: SeIncBasePriorityPrivilege	2516	AutoSnapShot.exe
Token: 33	2516	AutoSnapShot.exe
Token: SeIncBasePriorityPrivilege	2516	AutoSnapShot.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 1888	2292	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe	28
PID 2292 wrote to memory of 1888	2292	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe	28
PID 2292 wrote to memory of 1888	2292	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe	28
PID 2292 wrote to memory of 1888	2292	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe	28
PID 2292 wrote to memory of 3032	2292	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe	30
PID 2292 wrote to memory of 3032	2292	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe	30
PID 2292 wrote to memory of 3032	2292	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe	30
PID 2292 wrote to memory of 3032	2292	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe	30
PID 2292 wrote to memory of 2636	2292	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe	31
PID 2292 wrote to memory of 2636	2292	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe	31
PID 2292 wrote to memory of 2636	2292	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe	31
PID 2292 wrote to memory of 2636	2292	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe	31
PID 2292 wrote to memory of 2516	2292	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe	33
PID 2292 wrote to memory of 2516	2292	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe	33
PID 2292 wrote to memory of 2516	2292	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe	33
PID 2292 wrote to memory of 2516	2292	e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe	33
PID 2516 wrote to memory of 3064	2516	AutoSnapShot.exe	35
PID 2516 wrote to memory of 3064	2516	AutoSnapShot.exe	35
PID 2516 wrote to memory of 3064	2516	AutoSnapShot.exe	35
PID 2516 wrote to memory of 3064	2516	AutoSnapShot.exe	35

C:\Users\Admin\AppData\Local\Temp\e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe
"C:\Users\Admin\AppData\Local\Temp\e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\system32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:1888
- C:\Users\Admin\AppData\Local\Temp\e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe
  PECMD**pecmd-cmd* PUTF -dd -skipb=979968 -len=4541759 "C:\Users\Admin\AppData\Local\Temp\~8968138827155887592.tmp",,C:\Users\Admin\AppData\Local\Temp\e4c46b372c94ff894833a62fff302b824370d9f1a03591c7c944323e8d8ccbf5.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Users\Admin\AppData\Local\Temp\~2217372766887371475~\sg.tmp
  7zG_exe x "C:\Users\Admin\AppData\Local\Temp\~8968138827155887592.tmp" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\SnapShot"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Users\Admin\AppData\Local\Temp\SnapShot\AutoSnapShot.exe
  "C:\Users\Admin\AppData\Local\Temp\SnapShot\AutoSnapShot.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\system32\cmd.exe
    cmd /c for %i in (C D E F G H I J K L) do if exist %i: echo %i:>"C:\Users\Admin\AppData\Local\Temp\panfu.txt"
    3⤵
    PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SnapShot\AutoSnapShot.exe

Filesize
331KB

MD5
f1c57fe6855ed2f75396b27ffe8f804c

SHA1
fb8d0edcce531ab114029532d190e5e7a3d71242

SHA256
33d2d7d8396f62c6b781f32be730356a3aaf407ba4ee04053983df5426acfe76

SHA512
43b861a01a562ef8d19b3566490ccec350dea105ae42b8419695f029d5e1f2ce9615002473f0b8aded089b4be51fdc9401ae90da282e5397117712d9426346b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\panfu.txt

Filesize
4B

MD5
36ad3c0808c2ec49d3541cf84c2af403

SHA1
1352fb2aa95a09b0f84e27ca4568f9f45246f078

SHA256
b2ba628ca555987613fac8e37184d1c57286f2787ec3d95867385fce69342a51

SHA512
51141f43bf769c182ef435ee51ade199bdb266a8857891f82c196443c98a4d09a44030d4f8afa091ae5dd49e249d08c14c0da6c355dc051f724e695a0467d34d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~8968138827155887592.tmp

Filesize
2.4MB

MD5
064d72b374600832cd7d29026b84fdb7

SHA1
8b60967bf24e74de71fc7c973da278e99c4b09a5

SHA256
ad5dc5689d05ce02bd1c5b45d2975f4a85b8c2159d8bcb02267f2fb82f1a8d7a

SHA512
0b259283f6ad8bba4d838c3a23640102ac2646ae53bac30a5865b4d858706059094200f6bc475f1b98b762e5e302264a8e938c649958d5264cb60febd85ff8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\~8968138827155887592.tmp

Filesize
1.2MB

MD5
f435a0d1bbb5ae7bac1fca6e7618e5a0

SHA1
0c76af68c38a7819c0143f1f775d08b90e06410f

SHA256
84f294937862e5d20cb0008accdd150d08772094ea9bde310e4d46ac32e1a011

SHA512
ea1d9cff8eb3ea0d98982bb30a863247c71d23e32168af5134d93e93d4f1111e941ea3cf5c74ecf73ddefb2b14279c4089dd0852739f0359e752ed09c20cd07f

Download Submit
\Users\Admin\AppData\Local\Temp\~2217372766887371475~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
memory/2292-69-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2292-7-0x0000000002820000-0x000000000298C000-memory.dmp

Filesize
1.4MB

Download
memory/2292-34-0x0000000002DB0000-0x0000000002E6A000-memory.dmp

Filesize
744KB

Download
memory/2292-67-0x0000000002820000-0x000000000298C000-memory.dmp

Filesize
1.4MB

Download
memory/2292-0-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2292-68-0x0000000002DB0000-0x0000000002E6A000-memory.dmp

Filesize
744KB

Download
memory/2292-66-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2516-72-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2516-75-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/2516-48-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/2516-50-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/2516-63-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/2516-65-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2516-64-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/2516-62-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/2516-51-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/2516-39-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/2516-71-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2516-37-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2516-35-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2516-106-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2516-70-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2516-104-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2516-73-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/2516-46-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/2516-77-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/2516-76-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2516-78-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/2516-79-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/2516-80-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/2516-81-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/2516-83-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2516-85-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2516-87-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2516-90-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2516-92-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2516-94-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2516-96-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2516-98-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2516-100-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2516-102-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3032-8-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/3032-10-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download