f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
24/05/2024, 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Size

8.4MB
MD5

6d888f6f8a28d124b1451f58d41e03e4
SHA1

6886b3215cb764a1284240d07504d74aac6bead1
SHA256

f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae
SHA512

fe7ad8a16f53d77f4f0831260198783bc9d9c369d195cec7c983314d065bb4f28623e48991e3ea140b25c6dee45869c6e8ef3f3b8ab3bfec40c0d115896372c4
SSDEEP

196608:MxcCCRhBa323NSQ6In0+KwyrqB+Y7KPhdGP3g7sSp:MxsRu32x6InXyHY7KhdGvg7v

Score

7^/10

upx vmprotect

Malware Config

Signatures

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2180-30-0x0000000000330000-0x000000000036E000-memory.dmp	upx
behavioral1/memory/2180-28-0x0000000000330000-0x000000000036E000-memory.dmp	upx
behavioral1/memory/2180-42-0x0000000000330000-0x000000000036E000-memory.dmp	upx
behavioral1/memory/2180-58-0x0000000000330000-0x000000000036E000-memory.dmp	upx
behavioral1/memory/2180-46-0x0000000000330000-0x000000000036E000-memory.dmp	upx
behavioral1/memory/2180-60-0x0000000000330000-0x000000000036E000-memory.dmp	upx
behavioral1/memory/2180-56-0x0000000000330000-0x000000000036E000-memory.dmp	upx
behavioral1/memory/2180-54-0x0000000000330000-0x000000000036E000-memory.dmp	upx
behavioral1/memory/2180-52-0x0000000000330000-0x000000000036E000-memory.dmp	upx
behavioral1/memory/2180-50-0x0000000000330000-0x000000000036E000-memory.dmp	upx
behavioral1/memory/2180-48-0x0000000000330000-0x000000000036E000-memory.dmp	upx
behavioral1/memory/2180-44-0x0000000000330000-0x000000000036E000-memory.dmp	upx
behavioral1/memory/2180-40-0x0000000000330000-0x000000000036E000-memory.dmp	upx
behavioral1/memory/2180-38-0x0000000000330000-0x000000000036E000-memory.dmp	upx
behavioral1/memory/2180-36-0x0000000000330000-0x000000000036E000-memory.dmp	upx
behavioral1/memory/2180-34-0x0000000000330000-0x000000000036E000-memory.dmp	upx
behavioral1/memory/2180-32-0x0000000000330000-0x000000000036E000-memory.dmp	upx
behavioral1/memory/2180-26-0x0000000000330000-0x000000000036E000-memory.dmp	upx
behavioral1/memory/2180-24-0x0000000000330000-0x000000000036E000-memory.dmp	upx
behavioral1/memory/2180-22-0x0000000000330000-0x000000000036E000-memory.dmp	upx
behavioral1/memory/2180-20-0x0000000000330000-0x000000000036E000-memory.dmp	upx
behavioral1/memory/2180-19-0x0000000000330000-0x000000000036E000-memory.dmp	upx
behavioral1/memory/2180-18-0x0000000000330000-0x000000000036E000-memory.dmp	upx

VMProtect packed file 10 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2180-0-0x0000000000400000-0x00000000017C0000-memory.dmp	vmprotect
behavioral1/memory/2180-10-0x0000000000400000-0x00000000017C0000-memory.dmp	vmprotect
behavioral1/memory/2180-61-0x0000000000400000-0x00000000017C0000-memory.dmp	vmprotect
behavioral1/memory/2180-62-0x0000000000400000-0x00000000017C0000-memory.dmp	vmprotect
behavioral1/memory/2180-63-0x0000000000400000-0x00000000017C0000-memory.dmp	vmprotect
behavioral1/memory/2180-64-0x0000000000400000-0x00000000017C0000-memory.dmp	vmprotect
behavioral1/memory/2180-65-0x0000000000400000-0x00000000017C0000-memory.dmp	vmprotect
behavioral1/memory/2180-66-0x0000000000400000-0x00000000017C0000-memory.dmp	vmprotect
behavioral1/memory/2180-67-0x0000000000400000-0x00000000017C0000-memory.dmp	vmprotect
behavioral1/memory/2180-68-0x0000000000400000-0x00000000017C0000-memory.dmp	vmprotect

Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: 1	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: SeCreateTokenPrivilege	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: SeAssignPrimaryTokenPrivilege	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: SeLockMemoryPrivilege	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: SeIncreaseQuotaPrivilege	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: SeMachineAccountPrivilege	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: SeTcbPrivilege	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: SeSecurityPrivilege	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: SeTakeOwnershipPrivilege	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: SeLoadDriverPrivilege	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: SeSystemProfilePrivilege	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: SeSystemtimePrivilege	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: SeProfSingleProcessPrivilege	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: SeIncBasePriorityPrivilege	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: SeCreatePagefilePrivilege	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: SeCreatePermanentPrivilege	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: SeBackupPrivilege	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: SeRestorePrivilege	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: SeShutdownPrivilege	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: SeDebugPrivilege	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: SeAuditPrivilege	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: SeSystemEnvironmentPrivilege	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: SeChangeNotifyPrivilege	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: SeRemoteShutdownPrivilege	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: SeUndockPrivilege	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: SeSyncAgentPrivilege	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: SeEnableDelegationPrivilege	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: SeManageVolumePrivilege	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: SeImpersonatePrivilege	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: SeCreateGlobalPrivilege	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: 31	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: 32	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: 33	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: 34	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: 35	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: 36	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: 37	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: 38	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: 39	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: 40	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: 41	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: 42	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: 43	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: 44	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: 45	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: 46	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: 47	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: 48	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
Token: SeDebugPrivilege	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2560	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe	28
PID 2180 wrote to memory of 2560	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe	28
PID 2180 wrote to memory of 2560	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe	28
PID 2180 wrote to memory of 2560	2180	f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe	28
PID 2560 wrote to memory of 2540	2560	net.exe	30
PID 2560 wrote to memory of 2540	2560	net.exe	30
PID 2560 wrote to memory of 2540	2560	net.exe	30
PID 2560 wrote to memory of 2540	2560	net.exe	30

C:\Users\Admin\AppData\Local\Temp\f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe
"C:\Users\Admin\AppData\Local\Temp\f991f902206d04b5013d8cf65903043b0112ea60704a10d7ba93a3ad8e7754ae.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\net.exe
  net.exe stop "Desktop Window Manager Session Manager"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
    3⤵
    PID:2540

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2180-0-0x0000000000400000-0x00000000017C0000-memory.dmp

Filesize
19.8MB

Download
memory/2180-1-0x0000000000401000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/2180-8-0x0000000075330000-0x0000000075331000-memory.dmp

Filesize
4KB

Download
memory/2180-4-0x0000000077950000-0x0000000077951000-memory.dmp

Filesize
4KB

Download
memory/2180-2-0x0000000077950000-0x0000000077951000-memory.dmp

Filesize
4KB

Download
memory/2180-10-0x0000000000400000-0x00000000017C0000-memory.dmp

Filesize
19.8MB

Download
memory/2180-30-0x0000000000330000-0x000000000036E000-memory.dmp

Filesize
248KB

Download
memory/2180-28-0x0000000000330000-0x000000000036E000-memory.dmp

Filesize
248KB

Download
memory/2180-42-0x0000000000330000-0x000000000036E000-memory.dmp

Filesize
248KB

Download
memory/2180-58-0x0000000000330000-0x000000000036E000-memory.dmp

Filesize
248KB

Download
memory/2180-46-0x0000000000330000-0x000000000036E000-memory.dmp

Filesize
248KB

Download
memory/2180-60-0x0000000000330000-0x000000000036E000-memory.dmp

Filesize
248KB

Download
memory/2180-61-0x0000000000400000-0x00000000017C0000-memory.dmp

Filesize
19.8MB

Download
memory/2180-56-0x0000000000330000-0x000000000036E000-memory.dmp

Filesize
248KB

Download
memory/2180-62-0x0000000000400000-0x00000000017C0000-memory.dmp

Filesize
19.8MB

Download
memory/2180-54-0x0000000000330000-0x000000000036E000-memory.dmp

Filesize
248KB

Download
memory/2180-52-0x0000000000330000-0x000000000036E000-memory.dmp

Filesize
248KB

Download
memory/2180-50-0x0000000000330000-0x000000000036E000-memory.dmp

Filesize
248KB

Download
memory/2180-48-0x0000000000330000-0x000000000036E000-memory.dmp

Filesize
248KB

Download
memory/2180-44-0x0000000000330000-0x000000000036E000-memory.dmp

Filesize
248KB

Download
memory/2180-40-0x0000000000330000-0x000000000036E000-memory.dmp

Filesize
248KB

Download
memory/2180-38-0x0000000000330000-0x000000000036E000-memory.dmp

Filesize
248KB

Download
memory/2180-36-0x0000000000330000-0x000000000036E000-memory.dmp

Filesize
248KB

Download
memory/2180-34-0x0000000000330000-0x000000000036E000-memory.dmp

Filesize
248KB

Download
memory/2180-32-0x0000000000330000-0x000000000036E000-memory.dmp

Filesize
248KB

Download
memory/2180-26-0x0000000000330000-0x000000000036E000-memory.dmp

Filesize
248KB

Download
memory/2180-24-0x0000000000330000-0x000000000036E000-memory.dmp

Filesize
248KB

Download
memory/2180-22-0x0000000000330000-0x000000000036E000-memory.dmp

Filesize
248KB

Download
memory/2180-63-0x0000000000400000-0x00000000017C0000-memory.dmp

Filesize
19.8MB

Download
memory/2180-64-0x0000000000400000-0x00000000017C0000-memory.dmp

Filesize
19.8MB

Download
memory/2180-65-0x0000000000400000-0x00000000017C0000-memory.dmp

Filesize
19.8MB

Download
memory/2180-20-0x0000000000330000-0x000000000036E000-memory.dmp

Filesize
248KB

Download
memory/2180-66-0x0000000000400000-0x00000000017C0000-memory.dmp

Filesize
19.8MB

Download
memory/2180-19-0x0000000000330000-0x000000000036E000-memory.dmp

Filesize
248KB

Download
memory/2180-18-0x0000000000330000-0x000000000036E000-memory.dmp

Filesize
248KB

Download
memory/2180-67-0x0000000000400000-0x00000000017C0000-memory.dmp

Filesize
19.8MB

Download
memory/2180-68-0x0000000000400000-0x00000000017C0000-memory.dmp

Filesize
19.8MB

Download