98c1c42e583926078183b6791e1c6d59807633f228b9ba7cd092d7b9525bb576

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27/03/2024, 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e136a8e48b74a83c9c6abff1d7ba7e7f.exe
Size

96KB
MD5

e136a8e48b74a83c9c6abff1d7ba7e7f
SHA1

56d6e1b876408d61ecfc117382353f41aa4788bc
SHA256

98c1c42e583926078183b6791e1c6d59807633f228b9ba7cd092d7b9525bb576
SHA512

848ecef5aa0c458e7ec51d57cafdf86b99c4ac753ac787642690d0ec719aa0e151096b5a5ac1510d158fe70d01a7fa6fa7d9df00663aabf9f3a31dfff19f524d
SSDEEP

3072:WFnjy/Yosc//////Rpd3Sm+7oKiAQvP+KX9G:wW/Y5c//////jBSTsMK

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2492	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2588	wmnet.exe

Loads dropped DLL 2 IoCs

pid	Process
2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe
2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00090000000155ed-1.dat	upx
behavioral1/memory/2220-3-0x00000000005A0000-0x00000000005EA000-memory.dmp	upx
behavioral1/memory/2588-11-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral1/memory/2588-10-0x0000000000400000-0x000000000044A000-memory.dmp	upx

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe
2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe
2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe
2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe
2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe
2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe
2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe
2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe
2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe
2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe
2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe
2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe
Token: SeDebugPrivilege	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe
Token: SeDebugPrivilege	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe
Token: SeDebugPrivilege	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe
Token: SeDebugPrivilege	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe
Token: SeDebugPrivilege	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe
Token: SeDebugPrivilege	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe
Token: SeDebugPrivilege	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe
Token: SeDebugPrivilege	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe
Token: SeDebugPrivilege	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 1704	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe	28
PID 2220 wrote to memory of 1704	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe	28
PID 2220 wrote to memory of 1704	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe	28
PID 2220 wrote to memory of 1704	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe	28
PID 2220 wrote to memory of 2352	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe	29
PID 2220 wrote to memory of 2352	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe	29
PID 2220 wrote to memory of 2352	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe	29
PID 2220 wrote to memory of 2352	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe	29
PID 2220 wrote to memory of 2328	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe	30
PID 2220 wrote to memory of 2328	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe	30
PID 2220 wrote to memory of 2328	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe	30
PID 2220 wrote to memory of 2328	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe	30
PID 2220 wrote to memory of 2380	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe	34
PID 2220 wrote to memory of 2380	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe	34
PID 2220 wrote to memory of 2380	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe	34
PID 2220 wrote to memory of 2380	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe	34
PID 2220 wrote to memory of 2280	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe	35
PID 2220 wrote to memory of 2280	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe	35
PID 2220 wrote to memory of 2280	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe	35
PID 2220 wrote to memory of 2280	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe	35
PID 2220 wrote to memory of 2580	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe	36
PID 2220 wrote to memory of 2580	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe	36
PID 2220 wrote to memory of 2580	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe	36
PID 2220 wrote to memory of 2580	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe	36
PID 1704 wrote to memory of 2576	1704	net.exe	38
PID 1704 wrote to memory of 2576	1704	net.exe	38
PID 1704 wrote to memory of 2576	1704	net.exe	38
PID 1704 wrote to memory of 2576	1704	net.exe	38
PID 2328 wrote to memory of 2616	2328	net.exe	37
PID 2328 wrote to memory of 2616	2328	net.exe	37
PID 2328 wrote to memory of 2616	2328	net.exe	37
PID 2328 wrote to memory of 2616	2328	net.exe	37
PID 2352 wrote to memory of 2720	2352	net.exe	41
PID 2352 wrote to memory of 2720	2352	net.exe	41
PID 2352 wrote to memory of 2720	2352	net.exe	41
PID 2352 wrote to memory of 2720	2352	net.exe	41
PID 2280 wrote to memory of 2604	2280	net.exe	43
PID 2280 wrote to memory of 2604	2280	net.exe	43
PID 2280 wrote to memory of 2604	2280	net.exe	43
PID 2280 wrote to memory of 2604	2280	net.exe	43
PID 2580 wrote to memory of 2148	2580	net.exe	44
PID 2580 wrote to memory of 2148	2580	net.exe	44
PID 2580 wrote to memory of 2148	2580	net.exe	44
PID 2580 wrote to memory of 2148	2580	net.exe	44
PID 2380 wrote to memory of 2760	2380	net.exe	45
PID 2380 wrote to memory of 2760	2380	net.exe	45
PID 2380 wrote to memory of 2760	2380	net.exe	45
PID 2380 wrote to memory of 2760	2380	net.exe	45
PID 2220 wrote to memory of 2588	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe	46
PID 2220 wrote to memory of 2588	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe	46
PID 2220 wrote to memory of 2588	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe	46
PID 2220 wrote to memory of 2588	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe	46
PID 2220 wrote to memory of 2492	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe	47
PID 2220 wrote to memory of 2492	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe	47
PID 2220 wrote to memory of 2492	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe	47
PID 2220 wrote to memory of 2492	2220	e136a8e48b74a83c9c6abff1d7ba7e7f.exe	47

C:\Users\Admin\AppData\Local\Temp\e136a8e48b74a83c9c6abff1d7ba7e7f.exe
"C:\Users\Admin\AppData\Local\Temp\e136a8e48b74a83c9c6abff1d7ba7e7f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\net.exe
  net stop "Security Center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    PID:2576
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2720
- C:\Windows\SysWOW64\net.exe
  net stop System Restore Service
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop System Restore Service
    3⤵
    PID:2616
- C:\Windows\SysWOW64\net.exe
  net stop "Security Center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    PID:2760
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2604
- C:\Windows\SysWOW64\net.exe
  net stop System Restore Service
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop System Restore Service
    3⤵
    PID:2148
- C:\Users\Admin\AppData\Local\Temp\wmnet.exe
  C:\Users\Admin\AppData\Local\Temp\wmnet.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del C:\avp.exe
  2⤵
  - Deletes itself
  PID:2492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\wmnet.exe

Filesize
23KB

MD5
fa3acafb717bfdf0c93b25fa5d111207

SHA1
3c685929a68bc4ec9835a9bd34c690c2b80356e4

SHA256
98f20ebf9c31e91b6f1d1883fb3de7b2dd61aa301fb0ae67b997975a59ce4709

SHA512
2fbb5f27d3443a711f385ce112d1d51cc198f10afdfe9952a441c208bbf796dff678fefbaf9d7035f403a6b081c4b32b7326702043776bfd75633e9a0d805374

Download Submit
memory/2220-8-0x00000000005A0000-0x00000000005EA000-memory.dmp

Filesize
296KB

Download
memory/2220-3-0x00000000005A0000-0x00000000005EA000-memory.dmp

Filesize
296KB

Download
memory/2588-11-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2588-10-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download