d0e0dcab7ed028c48c80233b4c0b67c1f10df6d3c369c738b9379139d3b65787

Analysis

max time kernel
141s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb6045a502f084df4316b4f9de824d86.exe
Size

3.9MB
MD5

cb6045a502f084df4316b4f9de824d86
SHA1

2c68c63a1d31e4484861d7f56de1ec625a484dae
SHA256

d0e0dcab7ed028c48c80233b4c0b67c1f10df6d3c369c738b9379139d3b65787
SHA512

e00606e2a9ebd93b3cd728e28ec3db98565c2fb49be3be3504b0768bc2ef698549e223598cdd69e1a4b0e26d9ebfacfb2c0c12daec38e26adfd220c0d28476ed
SSDEEP

98304:egdx3yNvP42sziBan8RHJvOimjj8QszWHa3HbWWdJ4Qezcg92fK:nxuPhsziGcSTHkbWWfgYC

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2452	autorun.exe

Loads dropped DLL 1 IoCs

pid	Process
1048	cb6045a502f084df4316b4f9de824d86.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000016ced-51.dat	upx
behavioral1/memory/1048-53-0x0000000002C20000-0x00000000030EE000-memory.dmp	upx
behavioral1/memory/2452-56-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral1/memory/2452-69-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral1/memory/2452-71-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral1/memory/2452-72-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral1/memory/2452-73-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral1/memory/2452-74-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral1/memory/2452-75-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral1/memory/2452-76-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral1/memory/2452-77-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral1/memory/2452-78-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral1/memory/2452-79-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral1/memory/2452-80-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral1/memory/2452-81-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral1/memory/2452-82-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral1/memory/2452-83-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral1/memory/2452-84-0x0000000000400000-0x00000000008CE000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2452	autorun.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1048	cb6045a502f084df4316b4f9de824d86.exe
1048	cb6045a502f084df4316b4f9de824d86.exe
2452	autorun.exe
2452	autorun.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2452	1048	cb6045a502f084df4316b4f9de824d86.exe	28
PID 1048 wrote to memory of 2452	1048	cb6045a502f084df4316b4f9de824d86.exe	28
PID 1048 wrote to memory of 2452	1048	cb6045a502f084df4316b4f9de824d86.exe	28
PID 1048 wrote to memory of 2452	1048	cb6045a502f084df4316b4f9de824d86.exe	28
PID 1048 wrote to memory of 2452	1048	cb6045a502f084df4316b4f9de824d86.exe	28
PID 1048 wrote to memory of 2452	1048	cb6045a502f084df4316b4f9de824d86.exe	28
PID 1048 wrote to memory of 2452	1048	cb6045a502f084df4316b4f9de824d86.exe	28

C:\Users\Admin\AppData\Local\Temp\cb6045a502f084df4316b4f9de824d86.exe
"C:\Users\Admin\AppData\Local\Temp\cb6045a502f084df4316b4f9de824d86.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
  "C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\cb6045a502f084df4316b4f9de824d86.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\0.JPG

Filesize
10KB

MD5
639db71aecf4aca117b47c709cf42a11

SHA1
6c7a6b01eeca3953d02b996a856c6a764444c8ad

SHA256
544fd813c38e07b0acafabe4deff23dba1755fb5a749bd61522c35c848dd5cb5

SHA512
3c0b426ec4ed33be171bb0bb8a0bbf5e30c05a5a559b38beb6215068c5090f7eb2c7c6766f2a5aa56a72e29b56c4455175c39df0b26f245c43c7144e1b196974

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\04.png

Filesize
7KB

MD5
46f3761364a1418257b40752675848bb

SHA1
1016ef89342fb072119498456a16d7cc533fb0e3

SHA256
7038e422c28454ec0645d8394a523a955d7cb08f144c80319bb299829ccfd3d3

SHA512
2fb661ca39db98c779bfb67c2a436883df7d6b5a96114b3b4e43ea7a1ec88c3da5e43fd9a9c1412f7e06d78c32709f05a604bf5185366ae1c28998931367e286

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\psp temp 000000004.jpg

Filesize
1KB

MD5
4eccc66917f0a54063416f0f1cbb7ed0

SHA1
c51bdd4016057c52594975e8ac55814b5cebe2e5

SHA256
ff0f59dbdb12856d984d5628a89cecf397f456c4e2fc5676624a301a2471fc61

SHA512
bdf6ef270952e04d18832558f7876c4f68484498a55e776077c2013703cafad133512b39d25d411724d44b390b69d82c96f7305eac686b05599a2bc2ddc71b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\psp temp 00000004.jpg

Filesize
3KB

MD5
38a5cede3cdc8765faae8cdcae8f3967

SHA1
77f83e25c9aba9142caa5158328cc7be72fdd41d

SHA256
cb7c7332816b74a887ce31dcf4d98ee102b4702412e052d975cdf4788bde22a5

SHA512
1a403ab6cfc7bb8268b27648dedef969e36371ab93acc24adda0a6677e76a272d93e90c64ca5bf7d88dbcdbdb51c51ab866014406a1446eea709f056c88f1e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\psp temp 0000004.jpg

Filesize
3KB

MD5
ec453f1039da90ba5c4954a2ff4a0929

SHA1
28eff1bd344746ef2f4e1d1ed691d0aac553584b

SHA256
04bb9c2f6fba0f3806e0cd3c9a0a23cc32049565c59ba72bb7732b5334f93821

SHA512
5030eed949cc7f4a81b39cfb8b353651c5d2ada349e36badd4688a0fb1f6cadd46d84341ec155f28be507ec5c11e0f9ebacfccee44b72b9a2efd690c7efea8bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\psp temp 000004.jpg

Filesize
3KB

MD5
ca27b042430144757d63356d38137661

SHA1
3845964106418dbc32c92669710dae25e25ea6d1

SHA256
af51be0b578384303a216cc220d9abc3c09a7cc42d6d1f6bc619d53e6e1a4b12

SHA512
d032d904cafc007ff65bdf804ff918e7f7ceb64b78295713de4e99bc493e35bfe140214e30eb0e76a24e6746303244d3bcde13527ad662026382f6c5781ef198

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\psp temp 00004.jpg

Filesize
18KB

MD5
0d2efe17254ecbd0cd6d60ea525285cf

SHA1
87752eca53221446b47cd640356d87ffadc50cf5

SHA256
e8a2ed1239139219ea3afc06af9412091ed37b94499affa6447d3eca51a68962

SHA512
1c2d7bc3ae42694303e1513655033fdee57e3531359933e40a93c2053930b621fddf9db238e4026a1995561dfe05bcb06557fc0445ba3c6ab7f5039de4860b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\psp temp 0004.jpg

Filesize
26KB

MD5
73b5d13e775ce0fb3fdafa7d5575fbd0

SHA1
bb1523df66ad3dda80be8821c6864f5ae3e2092e

SHA256
903ee23a6605d258dfc0d76fc56f0364527becb9dad6605973322c4b256e60b0

SHA512
a6be225f8630f68d2315e137f3e130d23c7ad871ff7c585db3a12025014a7714059dc80086c90a063204a7d8c0d883db35c733599b4996f162a1394854b798be

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\psp temp 004.jpg

Filesize
21KB

MD5
7034c229151fcfdc2ce5d14c427232d8

SHA1
13ffeed39b882b8b86fd272fd9152d27b309fcd7

SHA256
07169711db6ff110a03d110304f6e0b69be7cbbdfdc42b3fe9341e4aea31feab

SHA512
bd2af6296383bb30f8818ab1836f888e1d27ba25ac3a5e2be04f2c4c435cf3b7d14ad1b4237cd1f7795605718a009dcb866af1f820cce41ec19fd129d9f474e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\psp temp 04.jpg

Filesize
356KB

MD5
a1a9e597ad0e9da6a093766d4bd4d0d3

SHA1
b7d87e7590d9d4bc76324625598cd7acdf11c3cb

SHA256
fda901c08b4995de697e19dabb09e4d0eeaaff6c6e4665300d86980324e473d9

SHA512
10727a195bd870f9ebe8c38410332a8da765fc575f7917947d9ab513ac7c72e180909b64edd9dc07e868e11cddf81a5ed4127eb29669a42a81583e226c14ace9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd

Filesize
10KB

MD5
0c1cf4ba2d5d1646712704b7e34bff85

SHA1
d56ef66a86f9b67cd179a0d40ac319fee93a6ff3

SHA256
b192aef6f3f95c8221b27871a39e195d1d0d3178058af09982276c3eeaeb19ea

SHA512
d7358688e3d87c4eb1acf0881bab9ffaa971e5630640ebdce1840da551804ec98bd79668bdbd7c5155ffbfa8294dd79da52c6789f57f19b1a58f0a2266f14f2d

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
957KB

MD5
56423d7f3ce83c7ff33f5c65f31aee8d

SHA1
fbde9aa7ef24de55db0c2c3b44bf765e30e7498a

SHA256
df35b8b3746db8eed32cf57cff38912835322cabfda85941252a8d7b82475abe

SHA512
ea4fb1b4801346639faa779134c0d528d64c69883c9e81998e4901e3485cc459546ec38103b544c9432bc221457f6442d89dd11c97e6cb9a60eccef2234fadad

Download Submit
memory/1048-70-0x0000000002C20000-0x00000000030EE000-memory.dmp

Filesize
4.8MB

Download
memory/1048-53-0x0000000002C20000-0x00000000030EE000-memory.dmp

Filesize
4.8MB

Download
memory/2452-69-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2452-76-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2452-71-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2452-72-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2452-73-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2452-74-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2452-75-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2452-56-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2452-77-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2452-78-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2452-79-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2452-80-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2452-81-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2452-82-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2452-83-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2452-84-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download