bce3b5cbe9b7f662df066a8404881f22dfcce74374d88d3dcc8eb679fcbf7974

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 12:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bce3b5cbe9b7f662df066a8404881f22dfcce74374d88d3dcc8eb679fcbf7974.exe
Size

4.6MB
MD5

b979efa04830c8be5db47f6da72adc77
SHA1

c7ec0631167d1f6b824c9dd81f965d7681e232cc
SHA256

bce3b5cbe9b7f662df066a8404881f22dfcce74374d88d3dcc8eb679fcbf7974
SHA512

8110087b7a6c7765fb597bf269799191f49508fedaa2afc22b869f1e0c34f26d78fec217a1e1c35b01e1cf150c38874ec054346ef1047fa01b8f7de01777548b
SSDEEP

24576:55pWnfFCAx999999999999999999999999999999999999999999999999999995:vUn9C7Sqc6QBpWilknWx

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
824	MWPpV1Ab.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00090000000233d8-5.dat	upx
behavioral2/memory/824-6-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral2/memory/824-43-0x0000000000400000-0x0000000000558000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3560	bce3b5cbe9b7f662df066a8404881f22dfcce74374d88d3dcc8eb679fcbf7974.exe
3560	bce3b5cbe9b7f662df066a8404881f22dfcce74374d88d3dcc8eb679fcbf7974.exe
3560	bce3b5cbe9b7f662df066a8404881f22dfcce74374d88d3dcc8eb679fcbf7974.exe
3560	bce3b5cbe9b7f662df066a8404881f22dfcce74374d88d3dcc8eb679fcbf7974.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3560	bce3b5cbe9b7f662df066a8404881f22dfcce74374d88d3dcc8eb679fcbf7974.exe
824	MWPpV1Ab.exe
824	MWPpV1Ab.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3560 wrote to memory of 824	3560	bce3b5cbe9b7f662df066a8404881f22dfcce74374d88d3dcc8eb679fcbf7974.exe	90
PID 3560 wrote to memory of 824	3560	bce3b5cbe9b7f662df066a8404881f22dfcce74374d88d3dcc8eb679fcbf7974.exe	90
PID 3560 wrote to memory of 824	3560	bce3b5cbe9b7f662df066a8404881f22dfcce74374d88d3dcc8eb679fcbf7974.exe	90
PID 824 wrote to memory of 2884	824	MWPpV1Ab.exe	91
PID 824 wrote to memory of 2884	824	MWPpV1Ab.exe	91
PID 824 wrote to memory of 2884	824	MWPpV1Ab.exe	91

C:\Users\Admin\AppData\Local\Temp\bce3b5cbe9b7f662df066a8404881f22dfcce74374d88d3dcc8eb679fcbf7974.exe
"C:\Users\Admin\AppData\Local\Temp\bce3b5cbe9b7f662df066a8404881f22dfcce74374d88d3dcc8eb679fcbf7974.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3560
- C:\Users\Public\Downloads\EsUL5jX3\MWPpV1Ab.exe
  "C:\Users\Public\Downloads\EsUL5jX3\MWPpV1Ab.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo.>c:\xxxx.ini
    3⤵
    PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG3.JPG

Filesize
6KB

MD5
e39405e85e09f64ccde0f59392317dd3

SHA1
9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

SHA256
cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

SHA512
6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG4.JPG

Filesize
36KB

MD5
f6bf82a293b69aa5b47d4e2de305d45a

SHA1
4948716616d4bbe68be2b4c5bf95350402d3f96f

SHA256
6a9368cdd7b3ff9b590e206c3536569bc45c338966d0059784959f73fe6281e0

SHA512
edf0f3ee60a620cf886184c1014f38d0505aac9e3703d61d7074cfb27d6922f80e570d1a3891593606a09f1296a88c8770445761c11c390a99a5341ee56478aa

Download Submit
C:\Users\Public\Downloads\EsUL5jX3\Edge.jpg

Filesize
358KB

MD5
908f2e888327257d47fbe292441ba670

SHA1
1d0d796bcf76eb93907ddef2559e1dd88ff2f18d

SHA256
34468970f5adb8f287deca07fd486079882bbf1f2de2aee650607a9c58dc2340

SHA512
d8fce96f42f84b84c91ecc43a657ca58cab02d3676f8d124de0e280e80b2301276f743b1a6daa3f511e845247861293e456d782f36756b9b34a9c76cc93e0a78

Download Submit
C:\Users\Public\Downloads\EsUL5jX3\MWPpV1Ab.dat

Filesize
132KB

MD5
e08d821bd9e6b021529315ed59e4a5c5

SHA1
6af72a0a83d31d5d78d4dfbbd96f87402898329b

SHA256
460d68647d11fd35d0d1c4ad937c90edadb01e0eb15178ea6808f8585155abc8

SHA512
a7da503c8d1fc9d8e432b02688efeeefc082cb8e82f3b589db8bcb6419e34b2088c8f7e883372e1f9a1a9452fbf459e083970b2f34d5a5795c77a35343c1a05f

Download Submit
C:\Users\Public\Downloads\EsUL5jX3\MWPpV1Ab.exe

Filesize
525KB

MD5
830a6976bc216eda04885d80adf400c9

SHA1
c8609605da54492d5b32b06b539107c951581ba4

SHA256
350d55b18230c5844a65954a74cf896a3aa52decfe4d0b02d233cd9588f54dce

SHA512
118b6daf69df096cb42ebb98a008a922d2906a55b970e6876c162ab25a29ca9bcd9b79cd9296d52fa8108990c57105e5df86b4462263fded95a70be963a259e5

Download Submit
C:\Users\Public\Downloads\EsUL5jX3\edge.xml

Filesize
53KB

MD5
c4b4ffdab62e44d0986f9e843860cd9b

SHA1
534e55163ee90033c5ba96b35f9122774c8ed805

SHA256
1f95b02c7b4a4d7d95a5fdf41862c3332584fe70350f923ef22353b699dfd97c

SHA512
c703acabeb21bb4da1678fdab35d25db53556430154b89e84c118d7b2491dbd875e9d83866d6bfd3a26127581079a996c5ddfbd52aee52e297a096045eb035dc

Download Submit
memory/824-6-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/824-28-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/824-30-0x00000000037C0000-0x00000000037D2000-memory.dmp

Filesize
72KB

Download
memory/824-32-0x0000000010000000-0x0000000010061000-memory.dmp

Filesize
388KB

Download
memory/824-43-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download