7c856e2e779dd19b2db99bd9e055f537b0859a57af8965f47bd5bd56ac67f9e0

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28-02-2024 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac53e736a4ec7ed14e4a86f4085fb0de.exe
Size

96KB
MD5

ac53e736a4ec7ed14e4a86f4085fb0de
SHA1

40b7e784c65817aa96b085bcfb0b7027ba80921f
SHA256

7c856e2e779dd19b2db99bd9e055f537b0859a57af8965f47bd5bd56ac67f9e0
SHA512

873549d5fa2f5b9e6676a939dc4d2496a3e226d7eff2e17991c4f2cb461849f0e0398771c0144616fc261ff4979617315dd88051f4cb9908c06e0520990f8d17
SSDEEP

1536:dYcr1FNtKFJjbwtIxwdbqTOpHbVSCxIe8tSftoIHtmHKE8:dYcrNcvYtIIp7VSo88amjE8

Score

7^/10

upx

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2944.exe	attrib.exe

Executes dropped EXE 2 IoCs

pid	Process
2528	2944.exe
2392	2944.exe

Loads dropped DLL 3 IoCs

pid	Process
2620	cmd.exe
2620	cmd.exe
2528	2944.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2460-0-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2460-4-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2460-3-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2460-2-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2460-31-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2644 set thread context of 2460	2644	ac53e736a4ec7ed14e4a86f4085fb0de.exe	28
PID 2528 set thread context of 2392	2528	2944.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2392	2944.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2460	2644	ac53e736a4ec7ed14e4a86f4085fb0de.exe	28
PID 2644 wrote to memory of 2460	2644	ac53e736a4ec7ed14e4a86f4085fb0de.exe	28
PID 2644 wrote to memory of 2460	2644	ac53e736a4ec7ed14e4a86f4085fb0de.exe	28
PID 2644 wrote to memory of 2460	2644	ac53e736a4ec7ed14e4a86f4085fb0de.exe	28
PID 2644 wrote to memory of 2460	2644	ac53e736a4ec7ed14e4a86f4085fb0de.exe	28
PID 2644 wrote to memory of 2460	2644	ac53e736a4ec7ed14e4a86f4085fb0de.exe	28
PID 2644 wrote to memory of 2460	2644	ac53e736a4ec7ed14e4a86f4085fb0de.exe	28
PID 2644 wrote to memory of 2460	2644	ac53e736a4ec7ed14e4a86f4085fb0de.exe	28
PID 2460 wrote to memory of 2620	2460	ac53e736a4ec7ed14e4a86f4085fb0de.exe	29
PID 2460 wrote to memory of 2620	2460	ac53e736a4ec7ed14e4a86f4085fb0de.exe	29
PID 2460 wrote to memory of 2620	2460	ac53e736a4ec7ed14e4a86f4085fb0de.exe	29
PID 2460 wrote to memory of 2620	2460	ac53e736a4ec7ed14e4a86f4085fb0de.exe	29
PID 2620 wrote to memory of 2528	2620	cmd.exe	31
PID 2620 wrote to memory of 2528	2620	cmd.exe	31
PID 2620 wrote to memory of 2528	2620	cmd.exe	31
PID 2620 wrote to memory of 2528	2620	cmd.exe	31
PID 2620 wrote to memory of 1720	2620	cmd.exe	32
PID 2620 wrote to memory of 1720	2620	cmd.exe	32
PID 2620 wrote to memory of 1720	2620	cmd.exe	32
PID 2620 wrote to memory of 1720	2620	cmd.exe	32
PID 2528 wrote to memory of 2392	2528	2944.exe	33
PID 2528 wrote to memory of 2392	2528	2944.exe	33
PID 2528 wrote to memory of 2392	2528	2944.exe	33
PID 2528 wrote to memory of 2392	2528	2944.exe	33
PID 2528 wrote to memory of 2392	2528	2944.exe	33
PID 2528 wrote to memory of 2392	2528	2944.exe	33
PID 2528 wrote to memory of 2392	2528	2944.exe	33
PID 2528 wrote to memory of 2392	2528	2944.exe	33
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13
PID 2392 wrote to memory of 1092	2392	2944.exe	13

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1720	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1092
- C:\Users\Admin\AppData\Local\Temp\ac53e736a4ec7ed14e4a86f4085fb0de.exe
  "C:\Users\Admin\AppData\Local\Temp\ac53e736a4ec7ed14e4a86f4085fb0de.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Users\Admin\AppData\Local\Temp\ac53e736a4ec7ed14e4a86f4085fb0de.exe
    C:\Users\Admin\AppData\Local\Temp\ac53e736a4ec7ed14e4a86f4085fb0de.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\1342.tmp\kill.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Users\Admin\AppData\Local\Temp\2944.exe
        
        2944.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2528
      - C:\Users\Admin\AppData\Local\Temp\2944.exe
        
        C:\Users\Admin\AppData\Local\Temp\2944.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2392
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib *.exe -h /s /d
        5⤵
        Drops startup file
        Views/modifies file attributes
        
        PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1342.tmp\kill.bat

Filesize
260B

MD5
61ad706c4223ca50308e9e80eaf79d88

SHA1
9f2f62d10a38b24167ea88dc24f0de9c52ab03c8

SHA256
76cc0c681c6f3ee1a025bc01349e18b05bf0d95eb923782179c0c8a452f73f24

SHA512
f7a28ba9f51612d58e98253b7a2c5a0ab284d9fb6e04cceacf0fa7a065febeb7cce38ce935fc1ac3eaa6122026ff04235bc59572711ac0b8e225b48f40a9c92c

Download Submit
\Users\Admin\AppData\Local\Temp\2944.exe

Filesize
60KB

MD5
105964f3c1091b73ce4904078c145a32

SHA1
0425ea9e3f9f18a5dcf0fcb46b11b2365dbea03f

SHA256
dc62b29db290d014b6f0ae2480067253cd2ca02e44bee79557bf4d41e7e7fe4e

SHA512
8e20c5f24aa770177aa52348228d34064d27925c995139a1d1cc32d9af0d25948db057c9efe25495cf1bc885e552d7d8277779f3b0eb2b95bf32fb8a9070bdf4

Download Submit
memory/2392-34-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2392-37-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2392-38-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2460-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2460-4-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2460-3-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2460-2-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2460-31-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download