be94017ccde0b9b5910adeec0a7374a1fb6ff7d76328afce5f10632e9f43c853

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-03-2024 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b44c248d7cfbdfbd15b8e48d69c7ec32.exe
Size

11KB
MD5

b44c248d7cfbdfbd15b8e48d69c7ec32
SHA1

8da2fdcb208f74b88df46acff9baa415b310d647
SHA256

be94017ccde0b9b5910adeec0a7374a1fb6ff7d76328afce5f10632e9f43c853
SHA512

c90633999ebe0b16f17e3f8f1b0d6562f60b6749aec584af99d1dae5cc685ebf5ea7ad7ea7681c3efae5bb7f158755d43a87e36c449d7a879bb7e15115e39449
SSDEEP

192:RyRqv0hZ9juHQJ41DIBFLe/DKuXqT/WCBc8DCz4rUocRhrZeIyyN4cKBUOwzc+J:IIs5/J41DkleGukWCBc8DdrKroEOwA+J

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Deletes itself 1 IoCs

pid	Process
1560	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2308	comboausk.exe

Loads dropped DLL 2 IoCs

pid	Process
2236	b44c248d7cfbdfbd15b8e48d69c7ec32.exe
2236	b44c248d7cfbdfbd15b8e48d69c7ec32.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2236-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x0009000000016c90-3.dat	upx
behavioral1/memory/2236-4-0x0000000000030000-0x000000000003F000-memory.dmp	upx
behavioral1/memory/2236-19-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2308-21-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\comboaus.dll	b44c248d7cfbdfbd15b8e48d69c7ec32.exe
File created	C:\Windows\SysWOW64\comboausk.exe	b44c248d7cfbdfbd15b8e48d69c7ec32.exe
File opened for modification	C:\Windows\SysWOW64\comboausk.exe	b44c248d7cfbdfbd15b8e48d69c7ec32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2236	b44c248d7cfbdfbd15b8e48d69c7ec32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2308	2236	b44c248d7cfbdfbd15b8e48d69c7ec32.exe	28
PID 2236 wrote to memory of 2308	2236	b44c248d7cfbdfbd15b8e48d69c7ec32.exe	28
PID 2236 wrote to memory of 2308	2236	b44c248d7cfbdfbd15b8e48d69c7ec32.exe	28
PID 2236 wrote to memory of 2308	2236	b44c248d7cfbdfbd15b8e48d69c7ec32.exe	28
PID 2236 wrote to memory of 1560	2236	b44c248d7cfbdfbd15b8e48d69c7ec32.exe	29
PID 2236 wrote to memory of 1560	2236	b44c248d7cfbdfbd15b8e48d69c7ec32.exe	29
PID 2236 wrote to memory of 1560	2236	b44c248d7cfbdfbd15b8e48d69c7ec32.exe	29
PID 2236 wrote to memory of 1560	2236	b44c248d7cfbdfbd15b8e48d69c7ec32.exe	29

C:\Users\Admin\AppData\Local\Temp\b44c248d7cfbdfbd15b8e48d69c7ec32.exe
"C:\Users\Admin\AppData\Local\Temp\b44c248d7cfbdfbd15b8e48d69c7ec32.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\comboausk.exe
  C:\Windows\system32\comboausk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\b44c248d7cfbdfbd15b8e48d69c7ec32.exe.bat
  2⤵
  - Deletes itself
  PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b44c248d7cfbdfbd15b8e48d69c7ec32.exe.bat

Filesize
182B

MD5
67bb5d947c4711f69a514bb9c2d78651

SHA1
92dd279058b1a685571d91c17559e7313df5324b

SHA256
47306717eac54f75f6d3bd5732c02256ecc17e1c247ebf4383a9a19203f62a7f

SHA512
7b242f65d34c19b3dc9aec1e151bb453b3fb55d9c64912912377d515d7012e2081a41ed65cf50d53a0fa8f4b98957abfaf1920e1d997e6357aace5fec6413dfd

Download Submit
\Windows\SysWOW64\comboausk.exe

Filesize
11KB

MD5
b44c248d7cfbdfbd15b8e48d69c7ec32

SHA1
8da2fdcb208f74b88df46acff9baa415b310d647

SHA256
be94017ccde0b9b5910adeec0a7374a1fb6ff7d76328afce5f10632e9f43c853

SHA512
c90633999ebe0b16f17e3f8f1b0d6562f60b6749aec584af99d1dae5cc685ebf5ea7ad7ea7681c3efae5bb7f158755d43a87e36c449d7a879bb7e15115e39449

Download Submit
memory/2236-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2236-4-0x0000000000030000-0x000000000003F000-memory.dmp

Filesize
60KB

Download
memory/2236-11-0x0000000000030000-0x000000000003F000-memory.dmp

Filesize
60KB

Download
memory/2236-19-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2308-21-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download