de246a85f33ecdbf6b0412d0aa34492e52d7047c50a901a990e7d73902b175bf

Analysis

max time kernel
147s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/03/2024, 07:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

getscreen-741290987-x86.exe
Size

3.5MB
MD5

7934e3fdb6a906d5fd32fd1055dad2cf
SHA1

7461fc1ca4fdb7f96fd6e82044027304c55668ee
SHA256

de246a85f33ecdbf6b0412d0aa34492e52d7047c50a901a990e7d73902b175bf
SHA512

f4ec858706c869f976e2d09a65af27bbe6ddb2c64add907a785bb4296b6e87807f511bcdd0d3b8b1aa05a62a5f9f3854c5960bdb655f0a400e869fe7c40fb36e
SSDEEP

49152:6dQ4omSYtiblkFLMYzIcE1x4MjjYp30g0KKpF1cER3iRHFdAQupummsDLlhySYJH:uQxmb+SpjxB0NpF6a37uuR0JxF5+g

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2904	rbudxoqunkpeggztvnxpypdgznxrcqa-elevate.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1696-0-0x00000000012C0000-0x00000000029AF000-memory.dmp	upx
behavioral1/memory/2744-7-0x00000000012C0000-0x00000000029AF000-memory.dmp	upx
behavioral1/files/0x0006000000018b50-9.dat	upx
behavioral1/memory/2904-11-0x0000000000160000-0x000000000184F000-memory.dmp	upx
behavioral1/files/0x0006000000018b50-10.dat	upx
behavioral1/memory/2904-15-0x0000000000160000-0x000000000184F000-memory.dmp	upx
behavioral1/memory/1696-18-0x00000000012C0000-0x00000000029AF000-memory.dmp	upx
behavioral1/memory/2744-19-0x00000000012C0000-0x00000000029AF000-memory.dmp	upx
behavioral1/memory/2568-21-0x00000000012C0000-0x00000000029AF000-memory.dmp	upx
behavioral1/memory/2568-34-0x00000000012C0000-0x00000000029AF000-memory.dmp	upx
behavioral1/memory/1696-35-0x00000000012C0000-0x00000000029AF000-memory.dmp	upx
behavioral1/memory/2744-36-0x00000000012C0000-0x00000000029AF000-memory.dmp	upx
behavioral1/memory/1696-37-0x00000000012C0000-0x00000000029AF000-memory.dmp	upx
behavioral1/memory/1696-39-0x00000000012C0000-0x00000000029AF000-memory.dmp	upx
behavioral1/memory/2744-40-0x00000000012C0000-0x00000000029AF000-memory.dmp	upx
behavioral1/memory/2744-42-0x00000000012C0000-0x00000000029AF000-memory.dmp	upx
behavioral1/memory/1696-44-0x00000000012C0000-0x00000000029AF000-memory.dmp	upx
behavioral1/memory/2744-45-0x00000000012C0000-0x00000000029AF000-memory.dmp	upx
behavioral1/memory/1696-46-0x00000000012C0000-0x00000000029AF000-memory.dmp	upx
behavioral1/memory/2744-47-0x00000000012C0000-0x00000000029AF000-memory.dmp	upx
behavioral1/memory/1696-49-0x00000000012C0000-0x00000000029AF000-memory.dmp	upx
behavioral1/memory/2744-50-0x00000000012C0000-0x00000000029AF000-memory.dmp	upx
behavioral1/memory/2744-52-0x00000000012C0000-0x00000000029AF000-memory.dmp	upx
behavioral1/memory/1696-53-0x00000000012C0000-0x00000000029AF000-memory.dmp	upx
behavioral1/memory/2744-54-0x00000000012C0000-0x00000000029AF000-memory.dmp	upx
behavioral1/memory/1696-55-0x00000000012C0000-0x00000000029AF000-memory.dmp	upx
behavioral1/memory/2744-56-0x00000000012C0000-0x00000000029AF000-memory.dmp	upx
behavioral1/memory/1696-57-0x00000000012C0000-0x00000000029AF000-memory.dmp	upx
behavioral1/memory/2744-58-0x00000000012C0000-0x00000000029AF000-memory.dmp	upx
behavioral1/memory/1696-59-0x00000000012C0000-0x00000000029AF000-memory.dmp	upx
behavioral1/memory/2744-60-0x00000000012C0000-0x00000000029AF000-memory.dmp	upx
behavioral1/memory/1696-61-0x00000000012C0000-0x00000000029AF000-memory.dmp	upx
behavioral1/memory/2744-62-0x00000000012C0000-0x00000000029AF000-memory.dmp	upx
behavioral1/memory/1696-63-0x00000000012C0000-0x00000000029AF000-memory.dmp	upx
behavioral1/memory/2744-64-0x00000000012C0000-0x00000000029AF000-memory.dmp	upx
behavioral1/memory/1696-65-0x00000000012C0000-0x00000000029AF000-memory.dmp	upx
behavioral1/memory/2744-66-0x00000000012C0000-0x00000000029AF000-memory.dmp	upx

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	getscreen-741290987-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main	getscreen-741290987-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	getscreen-741290987-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\getscreen-741290987-x86.exe = "11001"	getscreen-741290987-x86.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\getscreen-741290987-x86.exe = "11001"	getscreen-741290987-x86.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2568	getscreen-741290987-x86.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1696	getscreen-741290987-x86.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2744	getscreen-741290987-x86.exe
2744	getscreen-741290987-x86.exe
2744	getscreen-741290987-x86.exe
2744	getscreen-741290987-x86.exe
2744	getscreen-741290987-x86.exe
2744	getscreen-741290987-x86.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2744	getscreen-741290987-x86.exe
2744	getscreen-741290987-x86.exe
2744	getscreen-741290987-x86.exe
2744	getscreen-741290987-x86.exe
2744	getscreen-741290987-x86.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 2744	1696	getscreen-741290987-x86.exe	28
PID 1696 wrote to memory of 2744	1696	getscreen-741290987-x86.exe	28
PID 1696 wrote to memory of 2744	1696	getscreen-741290987-x86.exe	28
PID 1696 wrote to memory of 2744	1696	getscreen-741290987-x86.exe	28

C:\Users\Admin\AppData\Local\Temp\getscreen-741290987-x86.exe
"C:\Users\Admin\AppData\Local\Temp\getscreen-741290987-x86.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Local\Temp\getscreen-741290987-x86.exe
  "C:\Users\Admin\AppData\Local\Temp\getscreen-741290987-x86.exe" -gpipe \\.\pipe\PCommand97emzyuovloruowam -gui
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2744
- C:\Users\Admin\AppData\Local\Temp\getscreen-741290987-x86.exe
  "C:\Users\Admin\AppData\Local\Temp\getscreen-741290987-x86.exe" -cpipe \\.\pipe\PCommand96iwhdpdfzjgxnsel -child
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2568

C:\ProgramData\Getscreen.me\rbudxoqunkpeggztvnxpypdgznxrcqa-elevate.exe
"C:\ProgramData\Getscreen.me\rbudxoqunkpeggztvnxpypdgznxrcqa-elevate.exe" -elevate \\.\pipe\elevateGS512rbudxoqunkpeggztvnxpypdgznxrcqa
1⤵
- Executes dropped EXE
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Getscreen.me\logs\20240305.log

Filesize
674B

MD5
0996ff04a328956d7ce0c05f0b493778

SHA1
1e76dcbd59865602dc3a5c1c9a93817ad3453e8e

SHA256
f788abe94a1330bedfd8016ce3e0a9727958ed412b743bf009a5ad3b898e1e02

SHA512
9dd2a9778282c5a94f3b7411503a9c8f7cec8256fb884a349dcd22699de3c0869d820dbe9f00e2fe9bb72ec63197879350c8b8c4abb07ea51593557916aa3dc6

Download Submit
C:\ProgramData\Getscreen.me\logs\20240305.log

Filesize
1KB

MD5
1b6069a9b5f50ea9b9e36306194d92b4

SHA1
1782bc7c0317af01d93931a4218217910305557b

SHA256
071ca57744d0e33000d2df855215c3499c717b9ca2e5d37ea3f22e07ed4fa281

SHA512
8b3204857da132a744a73a48e50f5cd99d4f5432860883927042f0b374d4ca12b0d8368736521b2f414530edd1998b32f2ce12953ca5144f9c51afffcd4b06d7

Download Submit
C:\ProgramData\Getscreen.me\logs\20240305.log

Filesize
433B

MD5
c70c0e7143b123703d725cffa2d681b9

SHA1
090dac8e82dcd134ce128de23415ca0d7b449e18

SHA256
90990eaf90c07ba8fed5f6b5e5fe297d31aa70d6540765764abeda16fcb261a8

SHA512
97bec7e695f17e79bc4ceff74709f06156f2aa34b55f3340e3edf8f3a5ee62a99f84164e1cd89e5d2974342ead09c19e8030e1c5eca496c5ebb040bb6d212baf

Download Submit
C:\ProgramData\Getscreen.me\rbudxoqunkpeggztvnxpypdgznxrcqa-elevate.exe

Filesize
2.9MB

MD5
dd95d1817a7933bc07d001fea148484a

SHA1
dda3c089c848b9f2a8827b4d4ed8246aea4eaecd

SHA256
e86af654b294ac0379cf91761d7e76fe7fe45964f8f4c7ee3dda9c6254bdb74d

SHA512
e5c24c9e9df1a97d06db5ab2193c07fb9c9ec2899aa50a4fdaf5a6f9864aedcac5bf9b3f1645d5fec765a0f025960045c24726299c1e0709b1e5d874791b5c7d

Download Submit
C:\ProgramData\Getscreen.me\rbudxoqunkpeggztvnxpypdgznxrcqa-elevate.exe

Filesize
3.2MB

MD5
d900cfdb926b72b24dc0b8cc37b79ba0

SHA1
f79d3628a7215b9fc99ef575325ec2eb20e58ff4

SHA256
3927a70c656b756ab245aa131e28b9da7c85bc0f21da434b7aa3c754665844b0

SHA512
b63e7572ec5c50fbd7d0055f7c77571be81be274af25d3496157d04ac2c3f2f2c357ac79c38d80ad55a5ac84fa1c3d231761858de1964d3fc211cb3e3f2d9cea

Download Submit
memory/1696-57-0x00000000012C0000-0x00000000029AF000-memory.dmp

Filesize
22.9MB

Download
memory/1696-39-0x00000000012C0000-0x00000000029AF000-memory.dmp

Filesize
22.9MB

Download
memory/1696-63-0x00000000012C0000-0x00000000029AF000-memory.dmp

Filesize
22.9MB

Download
memory/1696-65-0x00000000012C0000-0x00000000029AF000-memory.dmp

Filesize
22.9MB

Download
memory/1696-59-0x00000000012C0000-0x00000000029AF000-memory.dmp

Filesize
22.9MB

Download
memory/1696-18-0x00000000012C0000-0x00000000029AF000-memory.dmp

Filesize
22.9MB

Download
memory/1696-6-0x0000000003EB0000-0x000000000559F000-memory.dmp

Filesize
22.9MB

Download
memory/1696-46-0x00000000012C0000-0x00000000029AF000-memory.dmp

Filesize
22.9MB

Download
memory/1696-44-0x00000000012C0000-0x00000000029AF000-memory.dmp

Filesize
22.9MB

Download
memory/1696-0-0x00000000012C0000-0x00000000029AF000-memory.dmp

Filesize
22.9MB

Download
memory/1696-35-0x00000000012C0000-0x00000000029AF000-memory.dmp

Filesize
22.9MB

Download
memory/1696-55-0x00000000012C0000-0x00000000029AF000-memory.dmp

Filesize
22.9MB

Download
memory/1696-37-0x00000000012C0000-0x00000000029AF000-memory.dmp

Filesize
22.9MB

Download
memory/1696-61-0x00000000012C0000-0x00000000029AF000-memory.dmp

Filesize
22.9MB

Download
memory/1696-53-0x00000000012C0000-0x00000000029AF000-memory.dmp

Filesize
22.9MB

Download
memory/1696-41-0x0000000003EB0000-0x000000000559F000-memory.dmp

Filesize
22.9MB

Download
memory/1696-49-0x00000000012C0000-0x00000000029AF000-memory.dmp

Filesize
22.9MB

Download
memory/2568-34-0x00000000012C0000-0x00000000029AF000-memory.dmp

Filesize
22.9MB

Download
memory/2568-21-0x00000000012C0000-0x00000000029AF000-memory.dmp

Filesize
22.9MB

Download
memory/2744-43-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/2744-56-0x00000000012C0000-0x00000000029AF000-memory.dmp

Filesize
22.9MB

Download
memory/2744-47-0x00000000012C0000-0x00000000029AF000-memory.dmp

Filesize
22.9MB

Download
memory/2744-42-0x00000000012C0000-0x00000000029AF000-memory.dmp

Filesize
22.9MB

Download
memory/2744-50-0x00000000012C0000-0x00000000029AF000-memory.dmp

Filesize
22.9MB

Download
memory/2744-52-0x00000000012C0000-0x00000000029AF000-memory.dmp

Filesize
22.9MB

Download
memory/2744-40-0x00000000012C0000-0x00000000029AF000-memory.dmp

Filesize
22.9MB

Download
memory/2744-54-0x00000000012C0000-0x00000000029AF000-memory.dmp

Filesize
22.9MB

Download
memory/2744-36-0x00000000012C0000-0x00000000029AF000-memory.dmp

Filesize
22.9MB

Download
memory/2744-45-0x00000000012C0000-0x00000000029AF000-memory.dmp

Filesize
22.9MB

Download
memory/2744-19-0x00000000012C0000-0x00000000029AF000-memory.dmp

Filesize
22.9MB

Download
memory/2744-58-0x00000000012C0000-0x00000000029AF000-memory.dmp

Filesize
22.9MB

Download
memory/2744-66-0x00000000012C0000-0x00000000029AF000-memory.dmp

Filesize
22.9MB

Download
memory/2744-60-0x00000000012C0000-0x00000000029AF000-memory.dmp

Filesize
22.9MB

Download
memory/2744-7-0x00000000012C0000-0x00000000029AF000-memory.dmp

Filesize
22.9MB

Download
memory/2744-62-0x00000000012C0000-0x00000000029AF000-memory.dmp

Filesize
22.9MB

Download
memory/2744-8-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/2744-64-0x00000000012C0000-0x00000000029AF000-memory.dmp

Filesize
22.9MB

Download
memory/2904-11-0x0000000000160000-0x000000000184F000-memory.dmp

Filesize
22.9MB

Download
memory/2904-15-0x0000000000160000-0x000000000184F000-memory.dmp

Filesize
22.9MB

Download