c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767

Analysis

max time kernel
147s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
06-03-2024 02:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe
Size

4.1MB
MD5

46ce83fd31d1b64c184e4307862dbc11
SHA1

b5937bc379c27a4c48d2c34d542afbd2da71bf59
SHA256

c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767
SHA512

70db9fbd15f87943af49b3173118ee186bdcd24d69db378cf4c2c127eb2074a86180f3a122846fbf25a06e2d5733040b2e971332dabc4548105d1d4f5780c1df
SSDEEP

98304:DjezfWnQE225WlxBP1FTHPwY7hSzmL26WPm4I4pDyD:3e8QEOtFozl6WPm4lFo

Score

9^/10

upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 37 IoCs

resource	yara_rule
behavioral1/memory/2036-2-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX
behavioral1/memory/1796-5-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX
behavioral1/files/0x000700000001565a-7.dat	UPX
behavioral1/memory/2492-18-0x000000013FB30000-0x00000001413D4000-memory.dmp	UPX
behavioral1/memory/2492-17-0x000000013FB30000-0x00000001413D4000-memory.dmp	UPX
behavioral1/memory/2548-19-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX
behavioral1/memory/2036-21-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX
behavioral1/memory/1796-22-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX
behavioral1/memory/2548-23-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX
behavioral1/memory/2036-24-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX
behavioral1/memory/1796-25-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX
behavioral1/memory/2548-30-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX
behavioral1/memory/2036-32-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX
behavioral1/memory/1796-33-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX
behavioral1/memory/2036-35-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX
behavioral1/memory/1796-36-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX
behavioral1/memory/2036-37-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX
behavioral1/memory/1796-38-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX
behavioral1/memory/2036-39-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX
behavioral1/memory/1796-40-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX
behavioral1/memory/2036-41-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX
behavioral1/memory/1796-42-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX
behavioral1/memory/2036-43-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX
behavioral1/memory/1796-44-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX
behavioral1/memory/2036-45-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX
behavioral1/memory/1796-46-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX
behavioral1/memory/2036-47-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX
behavioral1/memory/1796-48-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX
behavioral1/memory/2036-49-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX
behavioral1/memory/1796-50-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX
behavioral1/memory/2036-51-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX
behavioral1/memory/1796-52-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX
behavioral1/memory/1796-54-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX
behavioral1/memory/2036-55-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX
behavioral1/memory/1796-56-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX
behavioral1/memory/2036-57-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX
behavioral1/memory/1796-58-0x000000013F580000-0x0000000140E24000-memory.dmp	UPX

Executes dropped EXE 2 IoCs

pid	Process
484	Process not Found
2492	qvtpdlvmdwvgmlbbfhxeasnhgivphkv-elevate.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2036-2-0x000000013F580000-0x0000000140E24000-memory.dmp	upx
behavioral1/memory/1796-5-0x000000013F580000-0x0000000140E24000-memory.dmp	upx
behavioral1/files/0x000700000001565a-7.dat	upx
behavioral1/memory/2492-18-0x000000013FB30000-0x00000001413D4000-memory.dmp	upx
behavioral1/memory/2492-17-0x000000013FB30000-0x00000001413D4000-memory.dmp	upx
behavioral1/memory/2548-19-0x000000013F580000-0x0000000140E24000-memory.dmp	upx
behavioral1/memory/2036-21-0x000000013F580000-0x0000000140E24000-memory.dmp	upx
behavioral1/memory/1796-22-0x000000013F580000-0x0000000140E24000-memory.dmp	upx
behavioral1/memory/2548-23-0x000000013F580000-0x0000000140E24000-memory.dmp	upx
behavioral1/memory/2036-24-0x000000013F580000-0x0000000140E24000-memory.dmp	upx
behavioral1/memory/1796-25-0x000000013F580000-0x0000000140E24000-memory.dmp	upx
behavioral1/memory/2548-30-0x000000013F580000-0x0000000140E24000-memory.dmp	upx
behavioral1/memory/2036-32-0x000000013F580000-0x0000000140E24000-memory.dmp	upx
behavioral1/memory/1796-33-0x000000013F580000-0x0000000140E24000-memory.dmp	upx
behavioral1/memory/2036-35-0x000000013F580000-0x0000000140E24000-memory.dmp	upx
behavioral1/memory/1796-36-0x000000013F580000-0x0000000140E24000-memory.dmp	upx
behavioral1/memory/2036-37-0x000000013F580000-0x0000000140E24000-memory.dmp	upx
behavioral1/memory/1796-38-0x000000013F580000-0x0000000140E24000-memory.dmp	upx
behavioral1/memory/2036-39-0x000000013F580000-0x0000000140E24000-memory.dmp	upx
behavioral1/memory/1796-40-0x000000013F580000-0x0000000140E24000-memory.dmp	upx
behavioral1/memory/2036-41-0x000000013F580000-0x0000000140E24000-memory.dmp	upx
behavioral1/memory/1796-42-0x000000013F580000-0x0000000140E24000-memory.dmp	upx
behavioral1/memory/2036-43-0x000000013F580000-0x0000000140E24000-memory.dmp	upx
behavioral1/memory/1796-44-0x000000013F580000-0x0000000140E24000-memory.dmp	upx
behavioral1/memory/2036-45-0x000000013F580000-0x0000000140E24000-memory.dmp	upx
behavioral1/memory/1796-46-0x000000013F580000-0x0000000140E24000-memory.dmp	upx
behavioral1/memory/2036-47-0x000000013F580000-0x0000000140E24000-memory.dmp	upx
behavioral1/memory/1796-48-0x000000013F580000-0x0000000140E24000-memory.dmp	upx
behavioral1/memory/2036-49-0x000000013F580000-0x0000000140E24000-memory.dmp	upx
behavioral1/memory/1796-50-0x000000013F580000-0x0000000140E24000-memory.dmp	upx
behavioral1/memory/2036-51-0x000000013F580000-0x0000000140E24000-memory.dmp	upx
behavioral1/memory/1796-52-0x000000013F580000-0x0000000140E24000-memory.dmp	upx
behavioral1/memory/1796-54-0x000000013F580000-0x0000000140E24000-memory.dmp	upx
behavioral1/memory/2036-55-0x000000013F580000-0x0000000140E24000-memory.dmp	upx
behavioral1/memory/1796-56-0x000000013F580000-0x0000000140E24000-memory.dmp	upx
behavioral1/memory/2036-57-0x000000013F580000-0x0000000140E24000-memory.dmp	upx
behavioral1/memory/1796-58-0x000000013F580000-0x0000000140E24000-memory.dmp	upx

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe = "11001"	c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe = "11001"	c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2548	c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2036	c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
1796	c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe
1796	c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe
1796	c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe
1796	c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe
1796	c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe
1796	c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe
1796	c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe
1796	c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe
1796	c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe
1796	c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
1796	c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe
1796	c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe
1796	c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe
1796	c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe
1796	c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe
1796	c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe
1796	c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe
1796	c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe
1796	c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1796	2036	c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe	28
PID 2036 wrote to memory of 1796	2036	c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe	28
PID 2036 wrote to memory of 1796	2036	c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe	28

C:\Users\Admin\AppData\Local\Temp\c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe
"C:\Users\Admin\AppData\Local\Temp\c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe
  "C:\Users\Admin\AppData\Local\Temp\c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe" -gpipe \\.\pipe\PCommand97twirnowgndnxdsa -gui
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1796
- C:\Users\Admin\AppData\Local\Temp\c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe
  "C:\Users\Admin\AppData\Local\Temp\c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767.exe" -cpipe \\.\pipe\PCommand96gfedbjtphvyklwj -child
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2548

C:\ProgramData\Getscreen.me\qvtpdlvmdwvgmlbbfhxeasnhgivphkv-elevate.exe
"C:\ProgramData\Getscreen.me\qvtpdlvmdwvgmlbbfhxeasnhgivphkv-elevate.exe" -elevate \\.\pipe\elevateGS512qvtpdlvmdwvgmlbbfhxeasnhgivphkv
1⤵
- Executes dropped EXE
PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Getscreen.me\logs\20240306.log

Filesize
680B

MD5
e1bf1570c899bf5e45f5fd47b6b52bc7

SHA1
6af1c676449bfb2c98288840826ac8555af91f8b

SHA256
167dac759ce6870a0ba6435dd2901a56aae37ed881bad13af3248b45cc0e4bc8

SHA512
f5521ec5cb3bbd50c455719970911d279824b8ed26bc8527d92111d8fe937ab93b42ed4332c1a46ecccb0dac9222647e20532553384a164e0d51a432dc62070f

Download Submit
C:\ProgramData\Getscreen.me\logs\20240306.log

Filesize
2KB

MD5
c483f2169e8a262c61eb3160f7019172

SHA1
f59a65767c57079bfb69c809d0ae7639fae437b4

SHA256
97328d950caf15f1a44afdf8028e2a111ca55e376486365a414e841461f275b4

SHA512
8e615ad9698998e515f220adbf647114cb1dcd1b303fd5bc63953ba5aae7c4ba4d81357fe9adc910870e1536a9947b77557f59f1b56fc7f293f88383258c4d9a

Download Submit
C:\ProgramData\Getscreen.me\logs\20240306.log

Filesize
500B

MD5
c4cdeb57d0b6269f5c0670e950dc9f85

SHA1
c0e82cb79b4522131b8ae5d8c04050c5625022d7

SHA256
b674e80944f8d6b0b6a376259d2d9828eb1d99d39a5ef42569efa33b12a198c6

SHA512
b8fa8c25037c41e1536bf5faec510a3325c2bcbb3fb3ef1b9ae507a7eaeed34df19981dc49bdb36463b289e2e304cfe6158d9c5eee84a8195e30d67826464001

Download Submit
\ProgramData\Getscreen.me\qvtpdlvmdwvgmlbbfhxeasnhgivphkv-elevate.exe

Filesize
4.1MB

MD5
46ce83fd31d1b64c184e4307862dbc11

SHA1
b5937bc379c27a4c48d2c34d542afbd2da71bf59

SHA256
c6931330ac5b1674f9b2c3691f2c061b51066839622a49a97f4608a3959e1767

SHA512
70db9fbd15f87943af49b3173118ee186bdcd24d69db378cf4c2c127eb2074a86180f3a122846fbf25a06e2d5733040b2e971332dabc4548105d1d4f5780c1df

Download Submit
memory/1796-13-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1796-48-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download
memory/1796-58-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download
memory/1796-56-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download
memory/1796-54-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download
memory/1796-52-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download
memory/1796-5-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download
memory/1796-50-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download
memory/1796-22-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download
memory/1796-36-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download
memory/1796-46-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download
memory/1796-25-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download
memory/1796-44-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download
memory/1796-42-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download
memory/1796-40-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download
memory/1796-33-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download
memory/1796-38-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download
memory/2036-35-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download
memory/2036-47-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download
memory/2036-2-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download
memory/2036-39-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download
memory/2036-32-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download
memory/2036-41-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download
memory/2036-31-0x0000000002AF0000-0x0000000004394000-memory.dmp

Filesize
24.6MB

Download
memory/2036-43-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download
memory/2036-12-0x0000000002AF0000-0x0000000004394000-memory.dmp

Filesize
24.6MB

Download
memory/2036-45-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download
memory/2036-24-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download
memory/2036-37-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download
memory/2036-57-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download
memory/2036-49-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download
memory/2036-21-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download
memory/2036-51-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download
memory/2036-55-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download
memory/2492-17-0x000000013FB30000-0x00000001413D4000-memory.dmp

Filesize
24.6MB

Download
memory/2492-18-0x000000013FB30000-0x00000001413D4000-memory.dmp

Filesize
24.6MB

Download
memory/2548-19-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download
memory/2548-23-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download
memory/2548-30-0x000000013F580000-0x0000000140E24000-memory.dmp

Filesize
24.6MB

Download