fdec998795d6abb84aa1d131e5dda86396849000ca57dfa93497874aa6cca38f

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdec998795d6abb84aa1d131e5dda86396849000ca57dfa93497874aa6cca38f.exe
Size

433KB
MD5

686f62b85ba73984b1971b1e4dc72dfb
SHA1

e4c907e6a8419e5428c235398326947001148cbf
SHA256

fdec998795d6abb84aa1d131e5dda86396849000ca57dfa93497874aa6cca38f
SHA512

557ccd046b89dba6ffa67bb0b511ef07ef8a75f1c7cd6beff8f9070c8550b8e4baf25a8d2fbc839b0d16a1d50b1f8fa69b69c89cfd65c9094c7d9a719aaa3ef2
SSDEEP

12288:Y7KAnqKJIUADVGBRZJrBFGcyh5SQ2uswvecp79:Y7KAnqKJIUABGBRbBFGcyh5S1uswvecz

Score

9^/10

upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral1/memory/2028-0-0x0000000000400000-0x000000000046C000-memory.dmp	UPX
behavioral1/files/0x0037000000014286-10.dat	UPX
behavioral1/memory/2664-34-0x0000000000400000-0x000000000046C000-memory.dmp	UPX
behavioral1/memory/2028-35-0x0000000000400000-0x000000000046C000-memory.dmp	UPX

Deletes itself 1 IoCs

pid	Process
2664	Sysceamhfgfd.exe

Executes dropped EXE 1 IoCs

pid	Process
2664	Sysceamhfgfd.exe

Loads dropped DLL 2 IoCs

pid	Process
2028	fdec998795d6abb84aa1d131e5dda86396849000ca57dfa93497874aa6cca38f.exe
2028	fdec998795d6abb84aa1d131e5dda86396849000ca57dfa93497874aa6cca38f.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2028-0-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/files/0x0037000000014286-10.dat	upx
behavioral1/memory/2664-34-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2028-35-0x0000000000400000-0x000000000046C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe
2664	Sysceamhfgfd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2664	2028	fdec998795d6abb84aa1d131e5dda86396849000ca57dfa93497874aa6cca38f.exe	29
PID 2028 wrote to memory of 2664	2028	fdec998795d6abb84aa1d131e5dda86396849000ca57dfa93497874aa6cca38f.exe	29
PID 2028 wrote to memory of 2664	2028	fdec998795d6abb84aa1d131e5dda86396849000ca57dfa93497874aa6cca38f.exe	29
PID 2028 wrote to memory of 2664	2028	fdec998795d6abb84aa1d131e5dda86396849000ca57dfa93497874aa6cca38f.exe	29

C:\Users\Admin\AppData\Local\Temp\fdec998795d6abb84aa1d131e5dda86396849000ca57dfa93497874aa6cca38f.exe
"C:\Users\Admin\AppData\Local\Temp\fdec998795d6abb84aa1d131e5dda86396849000ca57dfa93497874aa6cca38f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\Sysceamhfgfd.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamhfgfd.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
102B

MD5
6003071f5fbca5844adf3eff6e02646a

SHA1
633281781de783f0585fb2b47337b4dc34e3ef02

SHA256
af02a6a7a2fe4e9d1d11406435222a7e7d5c769f8cd9846ed41c970bbdfc01c8

SHA512
747d91b758553fa76a985230314a8b9a2771b22a92b0e8506444cb08d73023801a50b782d41803b4a7c336ee024c4b01e8febff47a476d16e36c0f2daf63129a

Download Submit
\Users\Admin\AppData\Local\Temp\Sysceamhfgfd.exe

Filesize
434KB

MD5
f84bdd97a323d8a47fefb4440c23bb31

SHA1
e5eeb0f4c3544a4e57b81c2e2de076baaf1ada17

SHA256
fd0f1da21792e2d4f22d7f15870d4ec4f0760d89eba696bdc0b0ed6aef09e87c

SHA512
26820bdd70ea524cc076ac989dd2e2a2cc7d1ba3a9be49f8db5d7babb6e776213e1ecc9fab270b50db06a5656bb9b08ef260a3577410c54079c4b4f7a770602d

Download Submit
memory/2028-0-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2028-33-0x0000000003860000-0x00000000038CC000-memory.dmp

Filesize
432KB

Download
memory/2028-35-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2664-34-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download