587a8d051d1244e124d0cfa904cfcb143cf8165b70af2fdb2c105b9db65a40dd

Analysis

max time kernel
150s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c898d10f8f8578dbb7732a8aa64e69f0.exe
Size

11.3MB
MD5

c898d10f8f8578dbb7732a8aa64e69f0
SHA1

65ebb827c47b6859a423c7308a7e619bab10b3da
SHA256

587a8d051d1244e124d0cfa904cfcb143cf8165b70af2fdb2c105b9db65a40dd
SHA512

54b5d6173b562ef4f6fbbda39f5c9a5e66ef5c292f5f71cfa36a149a65f549ea124d72b12763395b84dc8375177a71b9a66f64733cb5a0b1072d6c89207c41c5
SSDEEP

12288:PHkVE/oSF76RyGZR8WMB6OXw376RyGZR8WMB6OXw376RyGZR8WMB6OXw376RyGZR:cVu

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4144	ocxlufk.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3068-0-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/files/0x0006000000023219-13.dat	upx
behavioral2/files/0x0006000000023219-38.dat	upx
behavioral2/memory/4144-39-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/files/0x0006000000023219-37.dat	upx
behavioral2/files/0x000100000000002e-44.dat	upx
behavioral2/memory/1416-55-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4144-56-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3068-58-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3068-59-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3068-60-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3068-61-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3068-62-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3068-63-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3068-64-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3068-65-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3068-66-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3068-67-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3068-68-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3068-69-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3068-70-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3068-71-0x0000000000400000-0x000000000046D000-memory.dmp	upx

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tfjbwhs\tfjbwhs\acskxjw\ocxlufk.exe	c898d10f8f8578dbb7732a8aa64e69f0.exe
File opened for modification	C:\Windows\SysWOW64\tfjbwhs\tfjbwhs\acskxjw\ocxlufk.exe	c898d10f8f8578dbb7732a8aa64e69f0.exe
File created	C:\Windows\system32\spool\DRIVERS\W32X86\3\fjbwhst\fjbwhst.exe	c898d10f8f8578dbb7732a8aa64e69f0.exe
File created	C:\Windows\SysWOW64\Help\upbiran.ini	c898d10f8f8578dbb7732a8aa64e69f0.exe
File created	C:\Windows\SysWOW64\Help\1.tfjbwhs	c898d10f8f8578dbb7732a8aa64e69f0.exe
File created	C:\Windows\SysWOW64\Help\2.tfjbwhs	c898d10f8f8578dbb7732a8aa64e69f0.exe
File created	C:\Windows\SysWOW64\tfjbwhs\tfjbwhs\acskxjw\m.ini	c898d10f8f8578dbb7732a8aa64e69f0.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4144 set thread context of 1416	4144	ocxlufk.exe	86

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Help\tfjbwhs.hlp	c898d10f8f8578dbb7732a8aa64e69f0.exe
File created	C:\Windows\2.ini	c898d10f8f8578dbb7732a8aa64e69f0.exe
File opened for modification	C:\Windows\	c898d10f8f8578dbb7732a8aa64e69f0.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3704	1416	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3068	c898d10f8f8578dbb7732a8aa64e69f0.exe
3068	c898d10f8f8578dbb7732a8aa64e69f0.exe
3068	c898d10f8f8578dbb7732a8aa64e69f0.exe
3068	c898d10f8f8578dbb7732a8aa64e69f0.exe
3068	c898d10f8f8578dbb7732a8aa64e69f0.exe
3068	c898d10f8f8578dbb7732a8aa64e69f0.exe
3068	c898d10f8f8578dbb7732a8aa64e69f0.exe
3068	c898d10f8f8578dbb7732a8aa64e69f0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3068	c898d10f8f8578dbb7732a8aa64e69f0.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 4144	3068	c898d10f8f8578dbb7732a8aa64e69f0.exe	85
PID 3068 wrote to memory of 4144	3068	c898d10f8f8578dbb7732a8aa64e69f0.exe	85
PID 3068 wrote to memory of 4144	3068	c898d10f8f8578dbb7732a8aa64e69f0.exe	85
PID 4144 wrote to memory of 1416	4144	ocxlufk.exe	86
PID 4144 wrote to memory of 1416	4144	ocxlufk.exe	86
PID 4144 wrote to memory of 1416	4144	ocxlufk.exe	86
PID 4144 wrote to memory of 1416	4144	ocxlufk.exe	86
PID 4144 wrote to memory of 1416	4144	ocxlufk.exe	86

C:\Users\Admin\AppData\Local\Temp\c898d10f8f8578dbb7732a8aa64e69f0.exe
"C:\Users\Admin\AppData\Local\Temp\c898d10f8f8578dbb7732a8aa64e69f0.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\tfjbwhs\tfjbwhs\acskxjw\ocxlufk.exe
  C:\Windows\system32\tfjbwhs\tfjbwhs\acskxjw\ocxlufk.exe -close
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe -NetworkService
    3⤵
    PID:1416
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 12
      4⤵
      Program crash
      PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1416 -ip 1416
1⤵
PID:3428

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Help\1.tfjbwhs

Filesize
26B

MD5
7f77f43b5d3a03075eb1941a52c09823

SHA1
ca1f400fec84c4c702430f34f629229333dd36d8

SHA256
4cbf24f48f3440e0be04f00225e13db5f800ef2bdc54f824623cc43e651d5647

SHA512
1535566d824c59877aaec014cf2f22cf47529fc83364d495cbd7077e208ce3604f006c26bde1a22ebfafc1950b3356f4de32ce8cabae499701b1c25ddbaa7241

Download Submit
C:\Windows\SysWOW64\Help\2.tfjbwhs

Filesize
18B

MD5
0192714dfdca26cc8cba52da6d2b61a9

SHA1
ea5c031e9299eb561f49617fe64f39b0da18c178

SHA256
c1c5c74200dbdbb765a4e63fc9076e64e65b986988f5fce8c004ff8bfc58aab0

SHA512
86f6ce0da20d151f04e49caf779a605b517f4796fe36c0972a011138ed3da0d039b20f6698dc16952b5c5df87fb74fea96bccbe6b2885174a0230e591901207a

Download Submit
C:\Windows\SysWOW64\Help\upbiran.ini

Filesize
18B

MD5
b37c9dce7aa34dbee9ac83892d321b6c

SHA1
609ecbc8a15ed2c35583b921d774ec6d136ffe85

SHA256
ba8e5a7c15dae83a2ad30359b88d981b400ad99cd896233e2941ca9d4a5f3e79

SHA512
6b71bb252bc10f7fea666cd6b5501eddddfbd3d16057851e10b3986767fbc6ff2da73288e3a0316af6ac33ab55ca4f090333645b49b9f0eea25ac72b7431aab7

Download Submit
C:\Windows\SysWOW64\tfjbwhs\tfjbwhs\acskxjw\m.ini

Filesize
128B

MD5
5657da739be152bba698fb2b8c8b24c8

SHA1
d92b0a8d0de5532f95a9c0c2fa65781a054ead00

SHA256
41136ea35b807d5de9aab2d62fc7354636d00d71f8b7c0b10ca0677c0b3574ce

SHA512
75efb8306bf85a0079656b790ccca62fda5f08dd59f9dcee306bb23941104aa133098710e78a11a8b1ca8278b43decaa64584b2b5b9edc01c8df2af241c27f41

Download Submit
C:\Windows\SysWOW64\tfjbwhs\tfjbwhs\acskxjw\ocxlufk.exe

Filesize
4.1MB

MD5
7cd0d9a947777b5075ba3c5988f7c911

SHA1
68af8e0ca2e9d140a510dedc68367ff054402ee1

SHA256
5cdac031af07d14b793665f548ee92bb92f745d73bcc4ff6b6f97f63c7297a15

SHA512
9283a1c546464178a476820e13968bdf4b41dfcfb495416b52d840f560cee1abf6c2e611c78387489b8c114bfd8d330fa6b7bc9cbd13ef263f0a7c5e7afe423a

Download Submit
C:\Windows\SysWOW64\tfjbwhs\tfjbwhs\acskxjw\ocxlufk.exe

Filesize
824KB

MD5
ace758c6666b5a4838068198c54f9127

SHA1
b8ee849c11465859f0e648fac89d312a584ee261

SHA256
ee106fc3a8f7af2e18a0ade236fa4f634d4439ae1e89235debaf06f0ed9b6589

SHA512
ff403dc944d70c3662b0ab2093fefece13e40e64cd6ddc339b02313244b3608f0079d63d9ad8b27e8e3ec203aa8f95970b9dbe3ad4443eb96e4deef073571523

Download Submit
C:\Windows\SysWOW64\tfjbwhs\tfjbwhs\acskxjw\ocxlufk.exe

Filesize
1024KB

MD5
58f758a14b800443f0bb7734179cc5c1

SHA1
d966620ecfcc5bb7a524cef96c323535cb957a5d

SHA256
06e858e2bcb351a8c383cdfa96c9d30eb2a5ce9852d59a29a3fa562c11d1523d

SHA512
4954c2c335e0beed84dc8d1eab03ef6ab279f3b155dd57de59284fffa1d6ff84a6c5192b8e1f8cdfe5e1c1131340801aef0d3bd574350286539c98a8c89e1e5e

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\fjbwhst\fjbwhst000.IMD

Filesize
486KB

MD5
c8271d6d6ecfd58be7eb3672a97a2a9a

SHA1
272b309358b9750945c1ed18c177979329c67364

SHA256
4169fbf4ce1919f2302b193f3d1e4188ebddcd9797b4d48781c220f9fd915ab5

SHA512
0bef795976e9a906cfcf86f1a04f57f43ec98f0c271cd104cf760d8944937a1f3bd487273c7f6a9f3fabde7a41d55b955369d03be42e24f0a58e3080055a125c

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\fjbwhst\fjbwhst001.IMD

Filesize
576KB

MD5
8c0e794aaf0bb8df239dc19dea7fa78a

SHA1
04775dd4021b3e3b56128e8421134db686b7cd45

SHA256
fd0d89926effebe397e3905876a7ad2eb7d757270471f43197b3141d7ab2f245

SHA512
55fd772973228a45f94e9776df905b532b96b18368e983375363315ef647ef929f87a36dc4e1b5f933bd86a18f09e2a070d78e1bbbec0a6f39d081d81396ae55

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\fjbwhst\fjbwhst002.IMD

Filesize
579KB

MD5
cb3fb27eda3afebcfb018661b404edbc

SHA1
4e2e001ea17608d6f7747937d8fad0ec0f1b8b35

SHA256
8c0170fe1dd82cac436ac31396f4da22c45efecc506e3c138a4dcfb5573380dc

SHA512
72271647216c7dadb6f7393625a7db3da5523260d562a14c2b913a505050072bfe3045b4c9bd630eaf854afcee22a5007ee2d3d7405001b09892e411fc5096d2

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\fjbwhst\fjbwhst003.IMD

Filesize
399KB

MD5
18ae94feb49292427c7378197be5a054

SHA1
e425b3f73aa1726a18e14052d95f308d8a1b2112

SHA256
bc8932db1e19de3ba2a153a4733ab4a1f6ab4a149cea975551b9771b76809885

SHA512
f4aebd23c61165315e76c4d5b8946fd8092ed2dbea639034d369152115de9ca5fa9a26ddade027e2fdcc4d719b7aeebe0838d95dd429955bffbc733202747db4

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\fjbwhst\fjbwhst004.IMD

Filesize
744KB

MD5
ebd8d9ab0f69112195214ad920174b7f

SHA1
379989be539e2a23fc7217283071814a78237533

SHA256
06556bb53ab6ea0450d259184255085cf0177a600c30cbd5f5653e325a7a2e94

SHA512
aea7f4e522aed5d09553199eb6bf946f8f5f362fee3253d75e8fda5d8046d9b7698a634aff7535be3e092f965c8c091b74521e70b371ea6b5757c49dd4ee219c

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\fjbwhst\fjbwhst005.IMD

Filesize
914KB

MD5
088d0a32116bb5873348fdae8e6b7cfc

SHA1
19ac33a241f3a9e04495655671358048d2e80822

SHA256
31e573ef4794d933a6713c05e92b6b6e5a2b6d58e698bf0e7a031e644f29e51f

SHA512
671276e16dc94bb42c967ec57442aae4311b0f2ab894e1b81488313675df50005ec6f09efeae1306e9409aaced4d58967cebef80e71a923cc55f5f67d5408397

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\fjbwhst\fjbwhst006.IMD

Filesize
145KB

MD5
7db5eae80517fdec435f3c2f5442c4d2

SHA1
45014cc6cc7497076dde94d7650dfdb94926cdcb

SHA256
1dc1dede6876df91a931c19f660c425dfe5106e1c01fc6fd1a2c315b2a4a5a56

SHA512
94ec859e8cbfa9e5877de49272e4a998cc81202a3d7c84fa012813a5a8daeb40fd6fb2b9e7b93546f03c67f4d633a9b83d0ba564c82a8442eae2d4b7badef3c8

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\fjbwhst\fjbwhst007.IMD

Filesize
261KB

MD5
272f61804547b27000d79eb2a33337fa

SHA1
c786b92450fdcda324a6ed09cf83cfe8275d0f57

SHA256
82a780e576d0241d8ad64fb16053792c96ecd5b497ae76095eb253657e447b68

SHA512
43f45190bd3a38c80a8bffbfe99c0a433b78736972284b556a7bf24dd4438d706139174d5b5e06a923489bff139f4f9ca09f724352274c056105bf4ff6e6392d

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\fjbwhst\fjbwhst008.IMD

Filesize
499KB

MD5
ed5fa3c8ed6de9d7db684bb4be012290

SHA1
97453c2da44a00550c8248b83385e509eab96af4

SHA256
2377da386ab973640187eb3d786ffc6f3491c74ed33a3350dcec0971f15b704b

SHA512
dbcb1a573869881556141198150d9c6738a2e4f39a68c49203572b1249447e26fe72af624db6bfd0e11cc98df8c392f4aaa20f1a3d82927d03dccfb62b83ef82

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\fjbwhst\fjbwhst009.IMD

Filesize
193KB

MD5
69279046d9cac6e96d932e8d08ea7326

SHA1
d27d57e316a94dfb2dc2e820bf4947510701a79c

SHA256
d75ed5ae10916390b0fa2fd390836650b3081472df3db48cf5472521c54535be

SHA512
268128ef71000d7e5ee0145498febeff102849a601e5dc61b31b574e255127c6fb556d7a30b789fe454402253b0c40188c27cda7ca7cc97fc47a1e8645f12549

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\fjbwhst\fjbwhst010.IMD

Filesize
7B

MD5
b470756a00e431d873d6397e7165142b

SHA1
b7f75643c3651d07897f42798507ff3cbac876ef

SHA256
98aaf5f5ff4eb8311ee2e02ca2450e88d8d475e5a8f6c8116a8234e0eabb2226

SHA512
0da0990f85d71ad1680311d122904552877f1718c2bef6f65a8e77a0dcc9bc11fbacd630bee4eb5fccc92196eac7c689b7f3e206ede8557362c77ae6d83edcc3

Download Submit
memory/1416-55-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3068-62-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3068-64-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3068-0-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3068-58-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3068-59-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3068-60-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3068-61-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3068-71-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3068-63-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3068-70-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3068-65-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3068-66-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3068-67-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3068-68-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3068-69-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4144-56-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4144-39-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download