d0e0dcab7ed028c48c80233b4c0b67c1f10df6d3c369c738b9379139d3b65787

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb6045a502f084df4316b4f9de824d86.exe
Size

3.9MB
MD5

cb6045a502f084df4316b4f9de824d86
SHA1

2c68c63a1d31e4484861d7f56de1ec625a484dae
SHA256

d0e0dcab7ed028c48c80233b4c0b67c1f10df6d3c369c738b9379139d3b65787
SHA512

e00606e2a9ebd93b3cd728e28ec3db98565c2fb49be3be3504b0768bc2ef698549e223598cdd69e1a4b0e26d9ebfacfb2c0c12daec38e26adfd220c0d28476ed
SSDEEP

98304:egdx3yNvP42sziBan8RHJvOimjj8QszWHa3HbWWdJ4Qezcg92fK:nxuPhsziGcSTHkbWWfgYC

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3044	autorun.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002324a-52.dat	upx
behavioral2/files/0x000700000002324a-53.dat	upx
behavioral2/memory/3044-55-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral2/memory/3044-67-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral2/memory/3044-68-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral2/memory/3044-69-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral2/memory/3044-70-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral2/memory/3044-71-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral2/memory/3044-72-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral2/memory/3044-73-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral2/memory/3044-74-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral2/memory/3044-75-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral2/memory/3044-76-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral2/memory/3044-77-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral2/memory/3044-78-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral2/memory/3044-79-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral2/memory/3044-80-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral2/memory/3044-81-0x0000000000400000-0x00000000008CE000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3044	autorun.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4344	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4344	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1204	cb6045a502f084df4316b4f9de824d86.exe
1204	cb6045a502f084df4316b4f9de824d86.exe
3044	autorun.exe
3044	autorun.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 3044	1204	cb6045a502f084df4316b4f9de824d86.exe	91
PID 1204 wrote to memory of 3044	1204	cb6045a502f084df4316b4f9de824d86.exe	91
PID 1204 wrote to memory of 3044	1204	cb6045a502f084df4316b4f9de824d86.exe	91

C:\Users\Admin\AppData\Local\Temp\cb6045a502f084df4316b4f9de824d86.exe
"C:\Users\Admin\AppData\Local\Temp\cb6045a502f084df4316b4f9de824d86.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
  "C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\cb6045a502f084df4316b4f9de824d86.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:3044

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4fc 0x4f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\0.JPG

Filesize
10KB

MD5
639db71aecf4aca117b47c709cf42a11

SHA1
6c7a6b01eeca3953d02b996a856c6a764444c8ad

SHA256
544fd813c38e07b0acafabe4deff23dba1755fb5a749bd61522c35c848dd5cb5

SHA512
3c0b426ec4ed33be171bb0bb8a0bbf5e30c05a5a559b38beb6215068c5090f7eb2c7c6766f2a5aa56a72e29b56c4455175c39df0b26f245c43c7144e1b196974

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\04.png

Filesize
7KB

MD5
46f3761364a1418257b40752675848bb

SHA1
1016ef89342fb072119498456a16d7cc533fb0e3

SHA256
7038e422c28454ec0645d8394a523a955d7cb08f144c80319bb299829ccfd3d3

SHA512
2fb661ca39db98c779bfb67c2a436883df7d6b5a96114b3b4e43ea7a1ec88c3da5e43fd9a9c1412f7e06d78c32709f05a604bf5185366ae1c28998931367e286

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\psp temp 000000004.jpg

Filesize
1KB

MD5
4eccc66917f0a54063416f0f1cbb7ed0

SHA1
c51bdd4016057c52594975e8ac55814b5cebe2e5

SHA256
ff0f59dbdb12856d984d5628a89cecf397f456c4e2fc5676624a301a2471fc61

SHA512
bdf6ef270952e04d18832558f7876c4f68484498a55e776077c2013703cafad133512b39d25d411724d44b390b69d82c96f7305eac686b05599a2bc2ddc71b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\psp temp 00000004.jpg

Filesize
3KB

MD5
38a5cede3cdc8765faae8cdcae8f3967

SHA1
77f83e25c9aba9142caa5158328cc7be72fdd41d

SHA256
cb7c7332816b74a887ce31dcf4d98ee102b4702412e052d975cdf4788bde22a5

SHA512
1a403ab6cfc7bb8268b27648dedef969e36371ab93acc24adda0a6677e76a272d93e90c64ca5bf7d88dbcdbdb51c51ab866014406a1446eea709f056c88f1e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\psp temp 0000004.jpg

Filesize
3KB

MD5
ec453f1039da90ba5c4954a2ff4a0929

SHA1
28eff1bd344746ef2f4e1d1ed691d0aac553584b

SHA256
04bb9c2f6fba0f3806e0cd3c9a0a23cc32049565c59ba72bb7732b5334f93821

SHA512
5030eed949cc7f4a81b39cfb8b353651c5d2ada349e36badd4688a0fb1f6cadd46d84341ec155f28be507ec5c11e0f9ebacfccee44b72b9a2efd690c7efea8bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\psp temp 000004.jpg

Filesize
3KB

MD5
ca27b042430144757d63356d38137661

SHA1
3845964106418dbc32c92669710dae25e25ea6d1

SHA256
af51be0b578384303a216cc220d9abc3c09a7cc42d6d1f6bc619d53e6e1a4b12

SHA512
d032d904cafc007ff65bdf804ff918e7f7ceb64b78295713de4e99bc493e35bfe140214e30eb0e76a24e6746303244d3bcde13527ad662026382f6c5781ef198

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\psp temp 00004.jpg

Filesize
18KB

MD5
0d2efe17254ecbd0cd6d60ea525285cf

SHA1
87752eca53221446b47cd640356d87ffadc50cf5

SHA256
e8a2ed1239139219ea3afc06af9412091ed37b94499affa6447d3eca51a68962

SHA512
1c2d7bc3ae42694303e1513655033fdee57e3531359933e40a93c2053930b621fddf9db238e4026a1995561dfe05bcb06557fc0445ba3c6ab7f5039de4860b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\psp temp 0004.jpg

Filesize
26KB

MD5
73b5d13e775ce0fb3fdafa7d5575fbd0

SHA1
bb1523df66ad3dda80be8821c6864f5ae3e2092e

SHA256
903ee23a6605d258dfc0d76fc56f0364527becb9dad6605973322c4b256e60b0

SHA512
a6be225f8630f68d2315e137f3e130d23c7ad871ff7c585db3a12025014a7714059dc80086c90a063204a7d8c0d883db35c733599b4996f162a1394854b798be

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\psp temp 004.jpg

Filesize
21KB

MD5
7034c229151fcfdc2ce5d14c427232d8

SHA1
13ffeed39b882b8b86fd272fd9152d27b309fcd7

SHA256
07169711db6ff110a03d110304f6e0b69be7cbbdfdc42b3fe9341e4aea31feab

SHA512
bd2af6296383bb30f8818ab1836f888e1d27ba25ac3a5e2be04f2c4c435cf3b7d14ad1b4237cd1f7795605718a009dcb866af1f820cce41ec19fd129d9f474e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\psp temp 04.jpg

Filesize
356KB

MD5
a1a9e597ad0e9da6a093766d4bd4d0d3

SHA1
b7d87e7590d9d4bc76324625598cd7acdf11c3cb

SHA256
fda901c08b4995de697e19dabb09e4d0eeaaff6c6e4665300d86980324e473d9

SHA512
10727a195bd870f9ebe8c38410332a8da765fc575f7917947d9ab513ac7c72e180909b64edd9dc07e868e11cddf81a5ed4127eb29669a42a81583e226c14ace9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd

Filesize
10KB

MD5
0c1cf4ba2d5d1646712704b7e34bff85

SHA1
d56ef66a86f9b67cd179a0d40ac319fee93a6ff3

SHA256
b192aef6f3f95c8221b27871a39e195d1d0d3178058af09982276c3eeaeb19ea

SHA512
d7358688e3d87c4eb1acf0881bab9ffaa971e5630640ebdce1840da551804ec98bd79668bdbd7c5155ffbfa8294dd79da52c6789f57f19b1a58f0a2266f14f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
448KB

MD5
c5d9d6c7843f8048f3b18c1f45c36bd9

SHA1
e2ff3b2649aa3e3f81528f1b2eec2c4046ebbcf7

SHA256
caf38818ceb46008b10a8790730369afd4abb314b2266a4520b91dcecc67cc4c

SHA512
0a75908dda0e172868cb2c4e8c043821e4695eec4a329ec46c0a25d78263348def49a990eb9f7066e5f358f79a74d10bfd69822e55b7ec1a7fbe7af0a8d1890f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
192KB

MD5
63f43e9ebeffe0554f270d7dd4466bdd

SHA1
197bfe1a8ab88f6fc9c3e08c5f14d625128decd3

SHA256
82527ee47cb0fce81c748ad77aff794cc2306346e1b0daf0a921cb5401c798d8

SHA512
45910c02e85b49abb4a0457207e5fdee52e85f5cb0af7cc990dab39078705ba8c1617f557802a2e62b63a156e611579f8461d1d65a17813d24ae4d9cd5279c54

Download Submit
memory/3044-67-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/3044-73-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/3044-68-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/3044-69-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/3044-70-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/3044-71-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/3044-72-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/3044-55-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/3044-74-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/3044-75-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/3044-76-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/3044-77-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/3044-78-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/3044-79-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/3044-80-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/3044-81-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download