63f33a1db75f08091271c7eaa1be0071cd000331ab05659e445d07e8058f561f

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/03/2024, 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7d039c2559b2bd19f00153507cff857.exe
Size

11KB
MD5

b7d039c2559b2bd19f00153507cff857
SHA1

6aeedde8ba29e7db3dcd9cd51e64d4985aff488b
SHA256

63f33a1db75f08091271c7eaa1be0071cd000331ab05659e445d07e8058f561f
SHA512

7974a78db8d11303466cf3228ddda7d918056bc6154e815e89a30aaf1cc1a287a3ed05d5cc22445c90ae1ddaff361bdb8656d5609aa0dcd48278daead9ca95f8
SSDEEP

192:CuxZH2B7O5mv/scm+eTo/+Dkl4usLZRtC45v2CmZ4Vlt3twKeYOTpzs+J:CuLWB7ImnE+eTo/g84usLRCobHFdw2OZ

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Deletes itself 1 IoCs

pid	Process
2956	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2984	comboausk.exe

Loads dropped DLL 2 IoCs

pid	Process
2772	b7d039c2559b2bd19f00153507cff857.exe
2772	b7d039c2559b2bd19f00153507cff857.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2772-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x0009000000015c23-3.dat	upx
behavioral1/memory/2772-4-0x0000000000030000-0x000000000003F000-memory.dmp	upx
behavioral1/memory/2984-12-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2772-20-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\comboaus.dll	b7d039c2559b2bd19f00153507cff857.exe
File created	C:\Windows\SysWOW64\comboausk.exe	b7d039c2559b2bd19f00153507cff857.exe
File opened for modification	C:\Windows\SysWOW64\comboausk.exe	b7d039c2559b2bd19f00153507cff857.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2772	b7d039c2559b2bd19f00153507cff857.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2984	2772	b7d039c2559b2bd19f00153507cff857.exe	28
PID 2772 wrote to memory of 2984	2772	b7d039c2559b2bd19f00153507cff857.exe	28
PID 2772 wrote to memory of 2984	2772	b7d039c2559b2bd19f00153507cff857.exe	28
PID 2772 wrote to memory of 2984	2772	b7d039c2559b2bd19f00153507cff857.exe	28
PID 2772 wrote to memory of 2956	2772	b7d039c2559b2bd19f00153507cff857.exe	29
PID 2772 wrote to memory of 2956	2772	b7d039c2559b2bd19f00153507cff857.exe	29
PID 2772 wrote to memory of 2956	2772	b7d039c2559b2bd19f00153507cff857.exe	29
PID 2772 wrote to memory of 2956	2772	b7d039c2559b2bd19f00153507cff857.exe	29

C:\Users\Admin\AppData\Local\Temp\b7d039c2559b2bd19f00153507cff857.exe
"C:\Users\Admin\AppData\Local\Temp\b7d039c2559b2bd19f00153507cff857.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\SysWOW64\comboausk.exe
  C:\Windows\system32\comboausk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\b7d039c2559b2bd19f00153507cff857.exe.bat
  2⤵
  - Deletes itself
  PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b7d039c2559b2bd19f00153507cff857.exe.bat

Filesize
182B

MD5
1f606769767ae757091dd6b3937c6816

SHA1
8937c8a58ef4eebb85e37a130774d799cc187c1b

SHA256
4f8cb5f67bb58c547e1c66309b23b77d7cd71a7e3ac37f9c486aa4a52b56e759

SHA512
272545b860533dcfdd4cbc0a867b73a08e7c3a9159d5ae64d51ffb23c33076296bc17c191a1aa9dce48321e0fb8316fe620d50c6937eea77bb3b91452a51e9fb

Download Submit
\Windows\SysWOW64\comboausk.exe

Filesize
11KB

MD5
b7d039c2559b2bd19f00153507cff857

SHA1
6aeedde8ba29e7db3dcd9cd51e64d4985aff488b

SHA256
63f33a1db75f08091271c7eaa1be0071cd000331ab05659e445d07e8058f561f

SHA512
7974a78db8d11303466cf3228ddda7d918056bc6154e815e89a30aaf1cc1a287a3ed05d5cc22445c90ae1ddaff361bdb8656d5609aa0dcd48278daead9ca95f8

Download Submit
memory/2772-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2772-4-0x0000000000030000-0x000000000003F000-memory.dmp

Filesize
60KB

Download
memory/2772-11-0x0000000000030000-0x000000000003F000-memory.dmp

Filesize
60KB

Download
memory/2772-20-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2984-12-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download