77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe
Size

4.1MB
MD5

c6e5f3f5ba9ae8fb70f73fae8b2172fa
SHA1

9719bb8ddd55e4d5105685a2a3ac5b80c01b4ac8
SHA256

77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977
SHA512

b8c82c9a1b3428604efda7e9083e396cab41b126769ad6d26d60b9ea432f14023a56cdbaab27cda46f6c95346f3efdb2abd5ae5b46afa9abd6c663a26cd25a4b
SSDEEP

49152:Pmmk1H6gBnOpek8EZp5OPycC5rcQq8oy7auZzyDxItd1Eh5qwlRxvNHhYNVTKG5j:Pmu4nOkO5v5w/8LJ79q8cQVeWC/3Mn

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5008	chlxrbadyixompyacbacfksupkncckh-elevate.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2616-2-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx
behavioral1/files/0x0007000000023464-6.dat	upx
behavioral1/memory/4080-7-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx
behavioral1/memory/5008-12-0x00007FF6648B0000-0x00007FF6661B9000-memory.dmp	upx
behavioral1/memory/5008-11-0x00007FF6648B0000-0x00007FF6661B9000-memory.dmp	upx
behavioral1/memory/2280-19-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx
behavioral1/memory/2280-31-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx
behavioral1/memory/2616-33-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx
behavioral1/memory/4080-34-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx
behavioral1/memory/2616-35-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx
behavioral1/memory/4080-37-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx
behavioral1/memory/2616-36-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx
behavioral1/memory/4080-38-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx
behavioral1/memory/4080-41-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx
behavioral1/memory/2616-40-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx
behavioral1/memory/4080-43-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx
behavioral1/memory/2616-42-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx
behavioral1/memory/2616-44-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx
behavioral1/memory/4080-45-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx
behavioral1/memory/4080-47-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx
behavioral1/memory/2616-46-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx
behavioral1/memory/2616-48-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx
behavioral1/memory/4080-49-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx
behavioral1/memory/2616-50-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx
behavioral1/memory/4080-51-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx
behavioral1/memory/2616-52-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx
behavioral1/memory/4080-53-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx
behavioral1/memory/2616-54-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx
behavioral1/memory/4080-55-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx
behavioral1/memory/2616-56-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx
behavioral1/memory/4080-57-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx
behavioral1/memory/2616-58-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx
behavioral1/memory/4080-59-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx
behavioral1/memory/2616-60-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx
behavioral1/memory/4080-61-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx
behavioral1/memory/2616-62-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx
behavioral1/memory/4080-63-0x00007FF715D90000-0x00007FF717699000-memory.dmp	upx

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe = "11001"	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe = "11001"	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2280	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe
2280	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2616	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4080	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe
4080	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe
4080	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe
4080	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe
4080	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
4080	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe
4080	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe
4080	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe
4080	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe
4080	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 4080	2616	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe	82
PID 2616 wrote to memory of 4080	2616	77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe	82

C:\Users\Admin\AppData\Local\Temp\77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe
"C:\Users\Admin\AppData\Local\Temp\77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Users\Admin\AppData\Local\Temp\77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe
  "C:\Users\Admin\AppData\Local\Temp\77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe" -gpipe \\.\pipe\PCommand97Getscreen.me -gui
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4080
- C:\Users\Admin\AppData\Local\Temp\77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe
  "C:\Users\Admin\AppData\Local\Temp\77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977.exe" -cpipe \\.\pipe\PCommand96Getscreen.me -cmem 0000pipe0PCommand96Getscreen0me5ya54o8750pz5kl -child
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2280

C:\ProgramData\Getscreen.me\chlxrbadyixompyacbacfksupkncckh-elevate.exe
"C:\ProgramData\Getscreen.me\chlxrbadyixompyacbacfksupkncckh-elevate.exe" -elevate \\.\pipe\elevateGS512chlxrbadyixompyacbacfksupkncckh
1⤵
- Executes dropped EXE
PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Getscreen.me\chlxrbadyixompyacbacfksupkncckh-elevate.exe

Filesize
4.1MB

MD5
c6e5f3f5ba9ae8fb70f73fae8b2172fa

SHA1
9719bb8ddd55e4d5105685a2a3ac5b80c01b4ac8

SHA256
77d6b48b175a9ece403bc236ec744801c67ff6addcb712c36754237cc2e41977

SHA512
b8c82c9a1b3428604efda7e9083e396cab41b126769ad6d26d60b9ea432f14023a56cdbaab27cda46f6c95346f3efdb2abd5ae5b46afa9abd6c663a26cd25a4b

Download Submit
C:\ProgramData\Getscreen.me\logs\20240605.log

Filesize
3KB

MD5
5436c3babc4b99ae8ced44c5a019691a

SHA1
60acb4dca22a598d09e256fb3a025813acd6b2c2

SHA256
63691908720ff06952c4b63e60ef60315ae9b84b9547069372585932a19a7ec3

SHA512
3b343b5460e0b4aaf6c8bed7588827f7b45fa804d86c4cd0969ccd58ee61b44b325c366dcad0081b488abfc783f27758f370180902df0dc06d519cba52744586

Download Submit
C:\ProgramData\Getscreen.me\logs\20240605.log

Filesize
261B

MD5
b9173876111eb14380f7e355c0875d47

SHA1
0ab71dd898ed0118d02dcd871d99c0bbbfb471dd

SHA256
6ca6564af663d71b35d172873a5a438979c65ff6cbb4be16586ce8fd4ff3c652

SHA512
93d7ed62f6e6bb96d4f2b79598b7ec96e7dcea9cf24a8ed7f6924ffb3fd0ae477586ffde0aceaa822abda76c4066147650c5ada3a491b0e049c76cdaee683032

Download Submit
C:\ProgramData\Getscreen.me\logs\20240605.log

Filesize
667B

MD5
3849ff8c8a9e1554e42c37db70f46dcc

SHA1
00ec564b73bf137e63e5b83e4dfa76b7bfc8ac93

SHA256
63abb9d1301d3f7bf75c1bbe947477570717df2885b0ae7f48b220129a37c73e

SHA512
6b54e67dd4f0a3d0b57ab27d61f0b1403c86ba8767ec7d64e5ddc1b9860b9cd30d46d78bbd8e7490c8d73d4886e1e47fd1146a3f5cbb359255f6823b947de7d0

Download Submit
C:\ProgramData\Getscreen.me\memory\0000pipe0PCommand96Getscreen0me5ya54o8750pz5kl

Filesize
16.0MB

MD5
76e060e929a27a8f50a5ea6edfc52356

SHA1
91b7bc99d759d84720b376f69bc934d75d9ec549

SHA256
95f95f6678ad42de249fe02f78472b553837b1e2aecd2f43b5715fae9187feae

SHA512
f1a361f28a87b18b8b5707bd3332e751ee30dfc5c9a32a4bbc39b7e8d5ac34385e96b49546003741a797c1a8e53537a91d5345dfcb1707bc65a483d458fd38fe

Download Submit
memory/2280-31-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/2280-19-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/2616-52-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/2616-46-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/2616-62-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/2616-60-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/2616-33-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/2616-58-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/2616-35-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/2616-56-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/2616-36-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/2616-54-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/2616-2-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/2616-50-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/2616-40-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/2616-48-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/2616-42-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/2616-44-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/4080-38-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/4080-34-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/4080-45-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/4080-43-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/4080-49-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/4080-41-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/4080-51-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/4080-63-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/4080-53-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/4080-61-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/4080-55-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/4080-37-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/4080-57-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/4080-47-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/4080-59-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/4080-7-0x00007FF715D90000-0x00007FF717699000-memory.dmp

Filesize
25.0MB

Download
memory/5008-11-0x00007FF6648B0000-0x00007FF6661B9000-memory.dmp

Filesize
25.0MB

Download
memory/5008-12-0x00007FF6648B0000-0x00007FF6661B9000-memory.dmp

Filesize
25.0MB

Download
memory/5008-39-0x00007FF6648B0000-0x00007FF6661B9000-memory.dmp

Filesize
25.0MB

Download