541ed74957916e4a0fa4ac460180191d456a12242fe379d7b1d545f833ad210a

Analysis

max time kernel
140s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
29-02-2024 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

linking53.exe
Size

1.5MB
MD5

f8dfc2ddce5ca228d0a4ba87635838ab
SHA1

62bcb5a85d170e852aa16e0697991c7b83f36fe6
SHA256

23504b3d2ed392d6bde292fc708ea3066f05f0f0d76a08dd390e917dea1d9ba0
SHA512

dc643273222033b1ca1c16dcbba45c93c2cc4e52407887a199a989dacd4e882c1ce95d67209a36ebff71143d585f08d30ae3bb199614f4b3ed71f176a95a27d2
SSDEEP

24576:04LJ432H6QyzLgm7Y1vYrl7UoN0xeqBLu3rHIOJ40ZKQ/w2C4NYExnqJ+FDaaY+P:hLJ4maa2LNIhl130ZKQ/w2C4Tx++VlYo

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2996	setup.exe

Loads dropped DLL 4 IoCs

pid	Process
1888	linking53.exe
2996	setup.exe
2996	setup.exe
2996	setup.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b000000015cbd-5.dat	upx
behavioral1/memory/1888-7-0x0000000002080000-0x00000000020F1000-memory.dmp	upx
behavioral1/memory/2996-11-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2996-19-0x0000000000400000-0x0000000000471000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 2996	1888	linking53.exe	28
PID 1888 wrote to memory of 2996	1888	linking53.exe	28
PID 1888 wrote to memory of 2996	1888	linking53.exe	28
PID 1888 wrote to memory of 2996	1888	linking53.exe	28
PID 1888 wrote to memory of 2996	1888	linking53.exe	28
PID 1888 wrote to memory of 2996	1888	linking53.exe	28
PID 1888 wrote to memory of 2996	1888	linking53.exe	28
PID 2996 wrote to memory of 2536	2996	setup.exe	29
PID 2996 wrote to memory of 2536	2996	setup.exe	29
PID 2996 wrote to memory of 2536	2996	setup.exe	29
PID 2996 wrote to memory of 2536	2996	setup.exe	29
PID 2996 wrote to memory of 2536	2996	setup.exe	29
PID 2996 wrote to memory of 2536	2996	setup.exe	29
PID 2996 wrote to memory of 2536	2996	setup.exe	29

C:\Users\Admin\AppData\Local\Temp\linking53.exe
"C:\Users\Admin\AppData\Local\Temp\linking53.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Users\Admin\AppData\Local\Temp\ae9743\setup.exe
  C:\Users\Admin\AppData\Local\Temp\ae9743\setup.exe -d "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ae9743\ÔËÐÐÇ°ÔÄ¶Á.txt
    3⤵
    PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ae9743\Setup.ini

Filesize
3KB

MD5
507f6c67701f7605a735429305a44dbb

SHA1
c3d4739bad9ec265c248c379f8ed28d975fd87bb

SHA256
a4b91a2533641471a482d7f4c9c469abc38c41f195d1f0d005c36344c5c81514

SHA512
b67f040698f4aad0baa5f3ccaaf0de60bda623981e9c00bddcaef56cb20bdecda647182669bd3a9a05fec46db3aac198b965aa4aba22d86e2f9912265d79080a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae9743\¼òÌåÖÐÎÄ.dat

Filesize
4KB

MD5
b02bab409baabb2f432a9deb588edc75

SHA1
485b21647b8037864e35e4fa6fb268ba50883fd5

SHA256
a00b95f9e9b0e3f7fb145eabd68be1688cab81adb399c23d8810ed0fc3e0293d

SHA512
484c86c43a3a2e978e150b12cbf7948492a60aee49eff581574b5845d31c58998066dac8332ffd38ce1106778405e0cbd6622c8bf06b7877fa7c0ca777a9f17c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae9743\ÔËÐÐÇ°ÔÄ¶Á.txt

Filesize
114B

MD5
25e1e8cae840f790b40af73281e0d6ca

SHA1
75507c799a2a25b9477aeb0c70fd78681f5ba861

SHA256
ac4e77fab602946573722695731ddae5c38995fbc2c44cc725a1b7d3992eb4ea

SHA512
cdb2f617c095a5431a6e51ba40e5ae3e2ccbb26a217e152a95aa66716593dce34660c7bceda44cecc6602a807af1706da51ea9d5d989eac32c368402f36f82c1

Download Submit
\Users\Admin\AppData\Local\Temp\ae9743\setup.exe

Filesize
149KB

MD5
808e84852804a6a0a036edf798428f6c

SHA1
8b8923c86da2bd7fbe15bf8ec0178fa210b06e8e

SHA256
2208362d112c755d569a03e28282b30dd53ddd79fe44dcde6ecad23ea82b37b2

SHA512
9df79af8b7fd4945ffc58122063ba797b39a905f1665ce4c802a30bf8c721e1498296862fee0aa9291456aae0f6bc6634a5303ac22b336f927ba290c25b4ef6a

Download Submit
memory/1888-7-0x0000000002080000-0x00000000020F1000-memory.dmp

Filesize
452KB

Download
memory/2996-11-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2996-15-0x0000000000230000-0x00000000002A1000-memory.dmp

Filesize
452KB

Download
memory/2996-19-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download