e5665f67c994ebe68f2c4b9ca7f7f27a8f3638194c63b5d06cfe58acdb2c2a34

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2024 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0f09dbc40e5f5b97ecdc527a0cfd7cf.exe
Size

16.7MB
MD5

c0f09dbc40e5f5b97ecdc527a0cfd7cf
SHA1

787ee2d3e4fdc40ecf33f1b09cc9402b87b90c4d
SHA256

e5665f67c994ebe68f2c4b9ca7f7f27a8f3638194c63b5d06cfe58acdb2c2a34
SHA512

63e82ad655d2bc45b32571eb66fd071899721124f1c03e19adb655f4f676de5cef9d10ef349f0ffcf33e9632e2c1e5c5b66a2b041145a93e72ef6b5a9a00dbae
SSDEEP

6144:PFKiOzC8VEXAouuoSADeqaiBeOju9+PeMIZyC45EnLhuU9IK/NgNvcucPhlrH41U:PHkVE/oSb

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1400	hloqtvx.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/476-0-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/files/0x0007000000023352-13.dat	upx
behavioral2/files/0x0007000000023352-38.dat	upx
behavioral2/files/0x0007000000023352-37.dat	upx
behavioral2/memory/1400-39-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/files/0x000100000000002e-44.dat	upx
behavioral2/memory/4300-55-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/1400-56-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/476-57-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/476-59-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/476-60-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/476-61-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/476-62-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/476-63-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/476-64-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/476-65-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/476-66-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/476-67-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/476-68-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/476-69-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/476-107-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/476-108-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/476-109-0x0000000000400000-0x000000000046D000-memory.dmp	upx

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\DRIVERS\W32X86\3\puagijl\puagijl.exe	c0f09dbc40e5f5b97ecdc527a0cfd7cf.exe
File created	C:\Windows\SysWOW64\Help\upbiran.ini	c0f09dbc40e5f5b97ecdc527a0cfd7cf.exe
File created	C:\Windows\SysWOW64\Help\1.lpuagij	c0f09dbc40e5f5b97ecdc527a0cfd7cf.exe
File created	C:\Windows\SysWOW64\Help\2.lpuagij	c0f09dbc40e5f5b97ecdc527a0cfd7cf.exe
File created	C:\Windows\SysWOW64\lpuagij\lpuagij\wadfijm\m.ini	c0f09dbc40e5f5b97ecdc527a0cfd7cf.exe
File created	C:\Windows\SysWOW64\lpuagij\lpuagij\wadfijm\hloqtvx.exe	c0f09dbc40e5f5b97ecdc527a0cfd7cf.exe
File opened for modification	C:\Windows\SysWOW64\lpuagij\lpuagij\wadfijm\hloqtvx.exe	c0f09dbc40e5f5b97ecdc527a0cfd7cf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1400 set thread context of 4300	1400	hloqtvx.exe	104

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Help\lpuagij.hlp	c0f09dbc40e5f5b97ecdc527a0cfd7cf.exe
File created	C:\Windows\2.ini	c0f09dbc40e5f5b97ecdc527a0cfd7cf.exe
File opened for modification	C:\Windows\	c0f09dbc40e5f5b97ecdc527a0cfd7cf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3892	4300	WerFault.exe	104

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
476	c0f09dbc40e5f5b97ecdc527a0cfd7cf.exe
476	c0f09dbc40e5f5b97ecdc527a0cfd7cf.exe
476	c0f09dbc40e5f5b97ecdc527a0cfd7cf.exe
476	c0f09dbc40e5f5b97ecdc527a0cfd7cf.exe
476	c0f09dbc40e5f5b97ecdc527a0cfd7cf.exe
476	c0f09dbc40e5f5b97ecdc527a0cfd7cf.exe
476	c0f09dbc40e5f5b97ecdc527a0cfd7cf.exe
476	c0f09dbc40e5f5b97ecdc527a0cfd7cf.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	476	c0f09dbc40e5f5b97ecdc527a0cfd7cf.exe
Token: SeManageVolumePrivilege	4304	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 476 wrote to memory of 1400	476	c0f09dbc40e5f5b97ecdc527a0cfd7cf.exe	101
PID 476 wrote to memory of 1400	476	c0f09dbc40e5f5b97ecdc527a0cfd7cf.exe	101
PID 476 wrote to memory of 1400	476	c0f09dbc40e5f5b97ecdc527a0cfd7cf.exe	101
PID 1400 wrote to memory of 4300	1400	hloqtvx.exe	104
PID 1400 wrote to memory of 4300	1400	hloqtvx.exe	104
PID 1400 wrote to memory of 4300	1400	hloqtvx.exe	104
PID 1400 wrote to memory of 4300	1400	hloqtvx.exe	104
PID 1400 wrote to memory of 4300	1400	hloqtvx.exe	104

C:\Users\Admin\AppData\Local\Temp\c0f09dbc40e5f5b97ecdc527a0cfd7cf.exe
"C:\Users\Admin\AppData\Local\Temp\c0f09dbc40e5f5b97ecdc527a0cfd7cf.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:476
- C:\Windows\SysWOW64\lpuagij\lpuagij\wadfijm\hloqtvx.exe
  C:\Windows\system32\lpuagij\lpuagij\wadfijm\hloqtvx.exe -close
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe -NetworkService
    3⤵
    PID:4300
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 12
      4⤵
      Program crash
      PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4300 -ip 4300
1⤵
PID:1676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2280,i,8281149332300504990,9122875031903898779,262144 --variations-seed-version /prefetch:8
1⤵
PID:4300

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:2832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4304

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Help\1.lpuagij

Filesize
26B

MD5
1319afdf3f591b518451e81bb9d1339f

SHA1
eb65bdd8abb90aca0557a9d97a641bf8f98a0c19

SHA256
17b227a14971e793c9e1627618e125f3450ff7561ce31eec5c4c0ad8cfa1abdb

SHA512
8f29df93f36b0634a3aa0f4ec19d445f882ab5b9009ee13b9e8e8fe11bcf38aa1f1f358f8e14e78b0cd1781c21d88047827a790e8fe39464383db00132d2c0b9

Download Submit
C:\Windows\SysWOW64\Help\2.lpuagij

Filesize
18B

MD5
f01661e803d70c0fba39946d1df7648b

SHA1
e4c90122918a98cddf2d1a4f66ee14d0adc9f6a0

SHA256
f00e95fe16c9e9c42ebc9456dc57d463fe5668f709a096f06c89d3f8456909c2

SHA512
46403295686f1f5b0097ff2819f9607213f2d00aa4a6e85d5845a70cb5c23f901f1b31ed44a1b3424cb118f0ea0f92b4c9bea5676ea54bd45e1247708af89bc1

Download Submit
C:\Windows\SysWOW64\Help\upbiran.ini

Filesize
18B

MD5
6ba93a13783843323d88120a669074b9

SHA1
1e9c91fea340c02934c0a81f0aea16ad5ac5b520

SHA256
32d6c1769f97526781990bd241dec4d541fb887903d0f2712c7602b5bb4b0ad5

SHA512
70464d30fe94f9b86fb89d563639c3c554ccb06db267abb2028b30ce04868b94be844b3b657629d28d5e0ffd906cc9fb262edca1d929fb8c18115cfaa94e12fa

Download Submit
C:\Windows\SysWOW64\lpuagij\lpuagij\wadfijm\hloqtvx.exe

Filesize
7.5MB

MD5
c6b375e29ec318647fecccbdad70e158

SHA1
346a5dd9c2340c7b0c6c7aa4c4f43ba8bbb57e40

SHA256
eecafd82c6216f56672a0f4ac721b285a3cf3488dce2ac275e0641fb15afd15f

SHA512
82946afa9434e0e1b506b04b6ef76fb7d15a279acd3f3cc4e6ff0f09f6192c4c494d6a3c1b36e410228ab4d11839644ca78022e89e601802d04a93b08a8f4246

Download Submit
C:\Windows\SysWOW64\lpuagij\lpuagij\wadfijm\hloqtvx.exe

Filesize
960KB

MD5
857b9b91f7a55b06d0ce1396067ae3d5

SHA1
c4e5d28a7dd32b91275faac73ada97bb5495e819

SHA256
d5246baa019b8ea0e8166a0738f947ab5f1f8325f9ca2b46aedb4fcaa4a36959

SHA512
a3ad3cb2e4880d1972a0665faea48f37d0ae5b17cb5fb94d3dfcc19e1d231cbbcda69fcce1c32170892417b9b9c5733e41bc541911af0ff92d3b4f6b1e6b69fe

Download Submit
C:\Windows\SysWOW64\lpuagij\lpuagij\wadfijm\hloqtvx.exe

Filesize
1.3MB

MD5
acd74653e17f5de9cafc7b5a05dfc46e

SHA1
c9983e91dd3811ca8f1c92de6894330345944b07

SHA256
41040a0e96901a025422ba19fdf3acf86742d6eefe0f157c85439ed693c49b8d

SHA512
1fd111376e4a5572e3d0c59ef46ce7f72c3e8aed76887ececf8c0d88c18b0a2cd03d0709248243c57c3688d15fff115949bb252b17a8cdd0ed63c2df3aefc41a

Download Submit
C:\Windows\SysWOW64\lpuagij\lpuagij\wadfijm\m.ini

Filesize
128B

MD5
58b278593837e9ef72f61fc5f43e6109

SHA1
4dbee2e906ed12a04d3ec754690507d43111eeb1

SHA256
69255e9da6d865c9ca715dac5c45c828a47071c605dc86f3b41c07ff96492ee4

SHA512
07725125ec35df6e3d7042c8ccaa9b005ad864b8567db001b069c51a8f0a9d36a657864fe4688a3f181dd3ec1815e145768b1a93e97bd5a73e8b991e167c2866

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\puagijl\puagijl000.IMD

Filesize
576KB

MD5
a8cbce037404e1c8ece315844f3f004d

SHA1
5a3694eb5ca96ee337ebfc83d7e6aed8825da045

SHA256
8596b1f323e17b6c2f887d1fbcc82a9e52005636774c451dc6f26d45ea607e9c

SHA512
bbdb553091db4204f4998cd5fd59f688738d67b5f54657531edaa9c30b051f4398b79770585fec1b13a09eb16a880c666128464a92bbca4f904d0d9fb1195ef5

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\puagijl\puagijl001.IMD

Filesize
512KB

MD5
d62644a4869459e2d93d158296f7338f

SHA1
cb4a1d8ee95942a93bb102059a858e7d94cfca65

SHA256
857cbf8ddb03c1829f21f7bf48dbbf28f7988e0f5a4bfce64157ff772b18af37

SHA512
932e65cb374fda67ad789f7cdf4fc9564d3b34cdb27c614a7c8de251eb8125e5050b06e85c0fd12fcc54e2691adf1d07ed7cff1a1a5c1f9f57d8d0bc80f600fa

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\puagijl\puagijl002.IMD

Filesize
448KB

MD5
176c058f6320491858f9e943b001c50c

SHA1
3367a5f035be936028d551ee706ab8b7ec6506f8

SHA256
94695af1380ffbb66478e249a98876edb72baa641f4d086bfa3c1bd81f93163c

SHA512
3c363395f2b56037227acf606d6b943e7a0a72b2c35f28da38fe99179ad0af0766d740531801e205e47ebe1c6a27fac741babb4408c5bcea0acb673d5ab9669a

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\puagijl\puagijl003.IMD

Filesize
934KB

MD5
50fa1ef04d867ee7fc37a5e7ed4ce0e3

SHA1
c80e26716027d42f4022b4a85c714d33bcc9ef15

SHA256
f9e997c76584f813b48782d92dd63874ab611e574fcebe8bd35d9401c118734d

SHA512
ea90753b164897391725ad6d49ab776b8902b474a6f5648eefe1c56cac0e66a1873b362099939dd98d438eeef1a2c477ab0aaa78ed14e7710c1cd2e4cfe3b21d

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\puagijl\puagijl004.IMD

Filesize
1.7MB

MD5
2babdcba33e0641387497ae3624006be

SHA1
02906738f0c9538dae47de9bbdb03a8cd2bb48aa

SHA256
51499a626e053c744cc49fcd973365db7f43b27aea895e438c078c1c361b20ec

SHA512
d40ef91d8189e563cb4e542cb9512362c8e4e8943b29e23495e34b12c10b60ca1aee711a8aaecb8efbcd324ed3587193db0bfc11b35b0ec1663d1d4ad7cb303b

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\puagijl\puagijl005.IMD

Filesize
1.7MB

MD5
a4e9202c9ff15e10057339258d804274

SHA1
a11bd9d36674148c52d271df35377e6cf7d7af66

SHA256
267ac207668d67044c6bca02824d2188b403d4651f2aab9c807b75899f10edc5

SHA512
839b7bf068cf7fa6cffb880be0384e3bf291a0922d683e67eccb9adc46e20b97f2547182fb2f053e18852658bcfbfe217e0c7ad3f196eda8e30642de5cb0c40c

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\puagijl\puagijl006.IMD

Filesize
1.7MB

MD5
07986ad6be82b08b83d790f82d88612c

SHA1
20f301b609465ab21bea89e511b58d433dc0dcb3

SHA256
2469d0ce09a30b3d5dedf542c672e79fddbea329f27645f6670e6320b72df9f7

SHA512
b8d38528e48f48565cd96db93aed0461dd359bc324138b0f608b32693d8bf8c3973ea7c7399e055903ccfd343a725a4458ad88ed08e9dd06a25903b3cf829744

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\puagijl\puagijl007.IMD

Filesize
1.7MB

MD5
234acacf5c73f9ed763d7d4f1b38761b

SHA1
04c5b493b658f209f2d7ac324df4469f7b52f511

SHA256
3e97938bcd0a9aeca23e42fa0acf7f1bb0a25ba63f9251fea7566da903575259

SHA512
9b78556b4f387972b6c09fcd4ea8f057afc249b17b478969dda6cca0b35bfc4443bf2537672f6351a3e465292b73e5310b151d19172c888346d1b469485a0afb

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\puagijl\puagijl008.IMD

Filesize
1.7MB

MD5
271a9e1705431f4659ed327510007612

SHA1
833b8b9ac6fbe3953a1a38672a3fdbe69260da84

SHA256
4b10da706f8b873b39f3a3e657d3447c4a53a8f7e5c3dcc4c9bf055c3d2df8fc

SHA512
400c8a9343783fa77d0b44bc83e46361efe798c69476fe5e86871c7eae5277cfb2d638d0d4482ed14ecf8ec57b5cf43d73a45cb9e4c1f94a8284f1185d7fb15d

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\puagijl\puagijl009.IMD

Filesize
1.7MB

MD5
35a7d9d6123fefd257084b78acbb360e

SHA1
e8d27d99bf3b05c03137b4ec5b5f5a86728ca74d

SHA256
c09b2e54de383e0ac88f9fc22a7441eb3a6051040a2a342c5186bd06d391bbff

SHA512
aa3254839f65dde91b97bb335e70b198a9baf0210fea51ac2dd4c8b64cd5689aaf5fe65fbe79968e5eb17fe6db63b224569ce434c1d149fc19a6ebdb8f6c0e6d

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\puagijl\puagijl010.IMD

Filesize
6B

MD5
86c33cea8865e3396684cf579db60103

SHA1
91544f7f94d888459fd9588008508b12ff125df9

SHA256
08383d1bbf31fb696900682b77a831f1654e86f69b37fa627b1b2396b180ecd7

SHA512
92808388f3a519d64083725ab89181783985d4a8934244c798ca591dee57dd25d9429b7414ebc4bad4e036556b776c2a25fa2c182eaad3e89c4a83b94bd043e3

Download Submit
memory/476-57-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/476-66-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/476-109-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/476-108-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/476-0-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/476-107-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/476-59-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/476-60-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/476-61-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/476-62-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/476-63-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/476-64-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/476-65-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/476-69-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/476-67-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/476-68-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1400-39-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1400-56-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4300-58-0x0000000000FE0000-0x0000000000FE0000-memory.dmp

Download
memory/4300-55-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4304-70-0x00000200C3640000-0x00000200C3650000-memory.dmp

Filesize
64KB

Download
memory/4304-86-0x00000200C3740000-0x00000200C3750000-memory.dmp

Filesize
64KB

Download
memory/4304-102-0x00000200CBA40000-0x00000200CBA41000-memory.dmp

Filesize
4KB

Download
memory/4304-104-0x00000200CBA70000-0x00000200CBA71000-memory.dmp

Filesize
4KB

Download
memory/4304-105-0x00000200CBA70000-0x00000200CBA71000-memory.dmp

Filesize
4KB

Download
memory/4304-106-0x00000200CBB80000-0x00000200CBB81000-memory.dmp

Filesize
4KB

Download