34fbfb2c0fd5af5b3c1f92ce7f45ed9c5cf1b0e6a3903f87139f6eac71b1068a

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/03/2024, 10:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

deeb229a7e2e24331f21d2664d394e7d.exe
Size

230KB
MD5

deeb229a7e2e24331f21d2664d394e7d
SHA1

da789966071557edea438682458c5de31c100c0e
SHA256

34fbfb2c0fd5af5b3c1f92ce7f45ed9c5cf1b0e6a3903f87139f6eac71b1068a
SHA512

0919857df8aff5f638967b7e1fa702c8ff902a813e6e76deb6b8a5ac054c4d065f35e87dc1aca179ec32f69ebcf0143f21c7dbd70631684c726d813535c42997
SSDEEP

3072:IiLmJZ7JuMkmJPB2GBwmUvxxvc+lW7VXXRKwGdeq0MmnNINuVNhn/OBLyeTSSQm5:8rBxX+HJxvq7VHAwweB2NurhnKLyJzF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2036-0-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2036	deeb229a7e2e24331f21d2664d394e7d.exe

Suspicious behavior: MapViewOfSection 22 IoCs

pid	Process
2036	deeb229a7e2e24331f21d2664d394e7d.exe
2036	deeb229a7e2e24331f21d2664d394e7d.exe
2036	deeb229a7e2e24331f21d2664d394e7d.exe
2036	deeb229a7e2e24331f21d2664d394e7d.exe
2036	deeb229a7e2e24331f21d2664d394e7d.exe
2036	deeb229a7e2e24331f21d2664d394e7d.exe
2036	deeb229a7e2e24331f21d2664d394e7d.exe
2036	deeb229a7e2e24331f21d2664d394e7d.exe
2036	deeb229a7e2e24331f21d2664d394e7d.exe
2036	deeb229a7e2e24331f21d2664d394e7d.exe
2036	deeb229a7e2e24331f21d2664d394e7d.exe
2036	deeb229a7e2e24331f21d2664d394e7d.exe
2036	deeb229a7e2e24331f21d2664d394e7d.exe
2036	deeb229a7e2e24331f21d2664d394e7d.exe
2036	deeb229a7e2e24331f21d2664d394e7d.exe
2036	deeb229a7e2e24331f21d2664d394e7d.exe
2036	deeb229a7e2e24331f21d2664d394e7d.exe
2036	deeb229a7e2e24331f21d2664d394e7d.exe
2036	deeb229a7e2e24331f21d2664d394e7d.exe
2036	deeb229a7e2e24331f21d2664d394e7d.exe
2036	deeb229a7e2e24331f21d2664d394e7d.exe
2036	deeb229a7e2e24331f21d2664d394e7d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	deeb229a7e2e24331f21d2664d394e7d.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2036	deeb229a7e2e24331f21d2664d394e7d.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 372	2036	deeb229a7e2e24331f21d2664d394e7d.exe	3
PID 2036 wrote to memory of 372	2036	deeb229a7e2e24331f21d2664d394e7d.exe	3
PID 2036 wrote to memory of 372	2036	deeb229a7e2e24331f21d2664d394e7d.exe	3
PID 2036 wrote to memory of 372	2036	deeb229a7e2e24331f21d2664d394e7d.exe	3
PID 2036 wrote to memory of 372	2036	deeb229a7e2e24331f21d2664d394e7d.exe	3
PID 2036 wrote to memory of 372	2036	deeb229a7e2e24331f21d2664d394e7d.exe	3
PID 2036 wrote to memory of 372	2036	deeb229a7e2e24331f21d2664d394e7d.exe	3
PID 2036 wrote to memory of 384	2036	deeb229a7e2e24331f21d2664d394e7d.exe	4
PID 2036 wrote to memory of 384	2036	deeb229a7e2e24331f21d2664d394e7d.exe	4
PID 2036 wrote to memory of 384	2036	deeb229a7e2e24331f21d2664d394e7d.exe	4
PID 2036 wrote to memory of 384	2036	deeb229a7e2e24331f21d2664d394e7d.exe	4
PID 2036 wrote to memory of 384	2036	deeb229a7e2e24331f21d2664d394e7d.exe	4
PID 2036 wrote to memory of 384	2036	deeb229a7e2e24331f21d2664d394e7d.exe	4
PID 2036 wrote to memory of 384	2036	deeb229a7e2e24331f21d2664d394e7d.exe	4
PID 2036 wrote to memory of 420	2036	deeb229a7e2e24331f21d2664d394e7d.exe	5
PID 2036 wrote to memory of 420	2036	deeb229a7e2e24331f21d2664d394e7d.exe	5
PID 2036 wrote to memory of 420	2036	deeb229a7e2e24331f21d2664d394e7d.exe	5
PID 2036 wrote to memory of 420	2036	deeb229a7e2e24331f21d2664d394e7d.exe	5
PID 2036 wrote to memory of 420	2036	deeb229a7e2e24331f21d2664d394e7d.exe	5
PID 2036 wrote to memory of 420	2036	deeb229a7e2e24331f21d2664d394e7d.exe	5
PID 2036 wrote to memory of 420	2036	deeb229a7e2e24331f21d2664d394e7d.exe	5
PID 2036 wrote to memory of 464	2036	deeb229a7e2e24331f21d2664d394e7d.exe	6
PID 2036 wrote to memory of 464	2036	deeb229a7e2e24331f21d2664d394e7d.exe	6
PID 2036 wrote to memory of 464	2036	deeb229a7e2e24331f21d2664d394e7d.exe	6
PID 2036 wrote to memory of 464	2036	deeb229a7e2e24331f21d2664d394e7d.exe	6
PID 2036 wrote to memory of 464	2036	deeb229a7e2e24331f21d2664d394e7d.exe	6
PID 2036 wrote to memory of 464	2036	deeb229a7e2e24331f21d2664d394e7d.exe	6
PID 2036 wrote to memory of 464	2036	deeb229a7e2e24331f21d2664d394e7d.exe	6
PID 2036 wrote to memory of 480	2036	deeb229a7e2e24331f21d2664d394e7d.exe	7
PID 2036 wrote to memory of 480	2036	deeb229a7e2e24331f21d2664d394e7d.exe	7
PID 2036 wrote to memory of 480	2036	deeb229a7e2e24331f21d2664d394e7d.exe	7
PID 2036 wrote to memory of 480	2036	deeb229a7e2e24331f21d2664d394e7d.exe	7
PID 2036 wrote to memory of 480	2036	deeb229a7e2e24331f21d2664d394e7d.exe	7
PID 2036 wrote to memory of 480	2036	deeb229a7e2e24331f21d2664d394e7d.exe	7
PID 2036 wrote to memory of 480	2036	deeb229a7e2e24331f21d2664d394e7d.exe	7
PID 2036 wrote to memory of 488	2036	deeb229a7e2e24331f21d2664d394e7d.exe	8
PID 2036 wrote to memory of 488	2036	deeb229a7e2e24331f21d2664d394e7d.exe	8
PID 2036 wrote to memory of 488	2036	deeb229a7e2e24331f21d2664d394e7d.exe	8
PID 2036 wrote to memory of 488	2036	deeb229a7e2e24331f21d2664d394e7d.exe	8
PID 2036 wrote to memory of 488	2036	deeb229a7e2e24331f21d2664d394e7d.exe	8
PID 2036 wrote to memory of 488	2036	deeb229a7e2e24331f21d2664d394e7d.exe	8
PID 2036 wrote to memory of 488	2036	deeb229a7e2e24331f21d2664d394e7d.exe	8
PID 2036 wrote to memory of 608	2036	deeb229a7e2e24331f21d2664d394e7d.exe	9
PID 2036 wrote to memory of 608	2036	deeb229a7e2e24331f21d2664d394e7d.exe	9
PID 2036 wrote to memory of 608	2036	deeb229a7e2e24331f21d2664d394e7d.exe	9
PID 2036 wrote to memory of 608	2036	deeb229a7e2e24331f21d2664d394e7d.exe	9
PID 2036 wrote to memory of 608	2036	deeb229a7e2e24331f21d2664d394e7d.exe	9
PID 2036 wrote to memory of 608	2036	deeb229a7e2e24331f21d2664d394e7d.exe	9
PID 2036 wrote to memory of 608	2036	deeb229a7e2e24331f21d2664d394e7d.exe	9
PID 2036 wrote to memory of 688	2036	deeb229a7e2e24331f21d2664d394e7d.exe	10
PID 2036 wrote to memory of 688	2036	deeb229a7e2e24331f21d2664d394e7d.exe	10
PID 2036 wrote to memory of 688	2036	deeb229a7e2e24331f21d2664d394e7d.exe	10
PID 2036 wrote to memory of 688	2036	deeb229a7e2e24331f21d2664d394e7d.exe	10
PID 2036 wrote to memory of 688	2036	deeb229a7e2e24331f21d2664d394e7d.exe	10
PID 2036 wrote to memory of 688	2036	deeb229a7e2e24331f21d2664d394e7d.exe	10
PID 2036 wrote to memory of 688	2036	deeb229a7e2e24331f21d2664d394e7d.exe	10
PID 2036 wrote to memory of 772	2036	deeb229a7e2e24331f21d2664d394e7d.exe	11
PID 2036 wrote to memory of 772	2036	deeb229a7e2e24331f21d2664d394e7d.exe	11
PID 2036 wrote to memory of 772	2036	deeb229a7e2e24331f21d2664d394e7d.exe	11
PID 2036 wrote to memory of 772	2036	deeb229a7e2e24331f21d2664d394e7d.exe	11
PID 2036 wrote to memory of 772	2036	deeb229a7e2e24331f21d2664d394e7d.exe	11
PID 2036 wrote to memory of 772	2036	deeb229a7e2e24331f21d2664d394e7d.exe	11
PID 2036 wrote to memory of 772	2036	deeb229a7e2e24331f21d2664d394e7d.exe	11
PID 2036 wrote to memory of 816	2036	deeb229a7e2e24331f21d2664d394e7d.exe	12

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:464
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:608
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1732
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:688
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:772
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:816
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1164
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:868
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:1004
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:340
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:760
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1084
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1136
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2812
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:3020
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:480
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:488

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\deeb229a7e2e24331f21d2664d394e7d.exe
  "C:\Users\Admin\AppData\Local\Temp\deeb229a7e2e24331f21d2664d394e7d.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2036

C:\Users\Admin\AppData\Local\Temp\2942551455\zmstage.exe
C:\Users\Admin\AppData\Local\Temp\2942551455\zmstage.exe
1⤵
PID:2896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2036-0-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2036-4-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2036-3-0x0000000000030000-0x0000000000032000-memory.dmp

Filesize
8KB

Download
memory/2036-2-0x0000000077750000-0x0000000077751000-memory.dmp

Filesize
4KB

Download
memory/2036-1-0x000000007774F000-0x0000000077750000-memory.dmp

Filesize
4KB

Download