0b45d35a3994b052a3444d904e71b60dec04ca7c5bfa0a6d33d240248f99ecf6

Analysis

max time kernel
121s
max time network
119s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
22/07/2024, 13:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0b45d35a3994b052a3444d904e71b60dec04ca7c5bfa0a6d33d240248f99ecf6.exe
Size

24.7MB
MD5

7df4ce7311af888872a47330cbbb87b1
SHA1

193d73c507bbe44417687a70e57325ea7ad3d53b
SHA256

0b45d35a3994b052a3444d904e71b60dec04ca7c5bfa0a6d33d240248f99ecf6
SHA512

f27c392d06efaaebb12f4ba95dc0d788ada46260c8628232023d5d72c86edc97e6f1cc844bdb13ed034ffb10d5df0da74141fd321b6dae0306a3ce79181b4c71
SSDEEP

393216:+33dwf5M7JEIVPALoySWYczr6GKucKb1u6/x/KV2SS6CerbqD5RTAr7:y3GWVJtArJh9lKy6d2LTAr7

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2440-33-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2440-45-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2440-55-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2440-53-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2440-51-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2440-49-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2440-47-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2440-43-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2440-41-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2440-39-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2440-37-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2440-35-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2440-31-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2440-27-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2440-25-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2440-24-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2440-15-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2440-14-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2440-13-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2440-29-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2440-21-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2440-19-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2440-17-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2440-129-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2440	0b45d35a3994b052a3444d904e71b60dec04ca7c5bfa0a6d33d240248f99ecf6.exe
3492	F9.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3436	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5104	taskkill.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2440	0b45d35a3994b052a3444d904e71b60dec04ca7c5bfa0a6d33d240248f99ecf6.exe
2440	0b45d35a3994b052a3444d904e71b60dec04ca7c5bfa0a6d33d240248f99ecf6.exe
2440	0b45d35a3994b052a3444d904e71b60dec04ca7c5bfa0a6d33d240248f99ecf6.exe
2440	0b45d35a3994b052a3444d904e71b60dec04ca7c5bfa0a6d33d240248f99ecf6.exe
3492	F9.exe
3492	F9.exe
3492	F9.exe
3492	F9.exe
3492	F9.exe
3492	F9.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1288	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2440	0b45d35a3994b052a3444d904e71b60dec04ca7c5bfa0a6d33d240248f99ecf6.exe
Token: SeDebugPrivilege	5104	taskkill.exe
Token: SeDebugPrivilege	3492	F9.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2440	0b45d35a3994b052a3444d904e71b60dec04ca7c5bfa0a6d33d240248f99ecf6.exe
2440	0b45d35a3994b052a3444d904e71b60dec04ca7c5bfa0a6d33d240248f99ecf6.exe
2440	0b45d35a3994b052a3444d904e71b60dec04ca7c5bfa0a6d33d240248f99ecf6.exe
3492	F9.exe
3492	F9.exe
3492	F9.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 1288	2440	0b45d35a3994b052a3444d904e71b60dec04ca7c5bfa0a6d33d240248f99ecf6.exe	79
PID 2440 wrote to memory of 1288	2440	0b45d35a3994b052a3444d904e71b60dec04ca7c5bfa0a6d33d240248f99ecf6.exe	79
PID 2440 wrote to memory of 1288	2440	0b45d35a3994b052a3444d904e71b60dec04ca7c5bfa0a6d33d240248f99ecf6.exe	79
PID 1288 wrote to memory of 5104	1288	cmd.exe	81
PID 1288 wrote to memory of 5104	1288	cmd.exe	81
PID 1288 wrote to memory of 5104	1288	cmd.exe	81
PID 1288 wrote to memory of 3436	1288	cmd.exe	83
PID 1288 wrote to memory of 3436	1288	cmd.exe	83
PID 1288 wrote to memory of 3436	1288	cmd.exe	83
PID 1288 wrote to memory of 3492	1288	cmd.exe	84
PID 1288 wrote to memory of 3492	1288	cmd.exe	84
PID 1288 wrote to memory of 3492	1288	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\0b45d35a3994b052a3444d904e71b60dec04ca7c5bfa0a6d33d240248f99ecf6.exe
"C:\Users\Admin\AppData\Local\Temp\0b45d35a3994b052a3444d904e71b60dec04ca7c5bfa0a6d33d240248f99ecf6.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ .bat""
  2⤵
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /f /im "0b45d35a3994b052a3444d904e71b60dec04ca7c5bfa0a6d33d240248f99ecf6.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5104
- - C:\Windows\SysWOW64\timeout.exe
    TIMEOUT /T 2
    3⤵
    - Delays execution with timeout.exe
    PID:3436
- - C:\Users\Admin\AppData\Local\Temp\F9.exe
    F9.exe
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\0C535009\0C535009\0C535009\0C535009\0C535009\0C535009.ini

Filesize
464B

MD5
2f2d6cf8b980bdad2440a99bdf95e55c

SHA1
089b4d32589117a61aec140cec2cf1fc34ac0eab

SHA256
63060a3ce32d374df5befdc98be74f2a2d9f853346de4c5a51f4fd55aad5211f

SHA512
d6283a5cd6afaa9021e6c022014e1697584b0dda9f43bcf05cfd662cbb4e33bf3faf4dc888c8400ef7ccae4b138c70c8d49d2de107fe478f801791c2bfaa4cfb

Download Submit
C:\0C535009\0C535009\0C535009\0C535009\0C535009\0C535009.ini.ini

Filesize
455B

MD5
1b5ddc9ee2696d66a13bed25302c4e1b

SHA1
ae5657167429951242b3bd517005d6e9e7b0085c

SHA256
1c15a91b780f15d4c4e1990afd08ffeca43dfab6f296f8ea55988b3283748461

SHA512
501ec88825aee8c6505431df40992784d8f2e531f7755523dd4967f920d91bfe2d38301f30c860f663097c0ab235ebf422848f1c522ae64f3f7ed475eda39bf2

Download Submit
C:\0C535009\0C535009\0C535009\0C535009\0C535009\0C535009.ini.ini

Filesize
521B

MD5
95d1f7796150228a3c32e461acbf98c4

SHA1
340dbf94ebf9c31cbab5390e2a01b25cfb813816

SHA256
70c8926e3fba30de6099937538e9735c0216748f4a595e3115fd25da91a6282c

SHA512
9f657e07a7c37fe0e5cb469bbd9ebcd885d8738498c14ca97ed2cb321c33b120a5251fbf6d05b234ccd89cf3d497471fa304388a1fdc048def22081d09d940ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\ .bat

Filesize
270B

MD5
258952b9e48a392547e4edf93e01482f

SHA1
e6dc501fbca8e2108c384feb2c698be2f2b92a09

SHA256
e181fddbdbe6d031bc4fd68531a3db0f655c8695fc2d8a16e775152188858a30

SHA512
f842e012fb686d044104c8dffd08323ce9a057b2cb401f95ef017863971aa82c8d72069deda9a667ed0257468c28b703506a3f23ce4b9aed4060b99ef33a9a74

Download Submit
memory/2440-0-0x0000000000E6E000-0x0000000001EAB000-memory.dmp

Filesize
16.2MB

Download
memory/2440-2-0x0000000003F40000-0x0000000003F41000-memory.dmp

Filesize
4KB

Download
memory/2440-6-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/2440-8-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/2440-7-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/2440-5-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/2440-4-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/2440-3-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/2440-1-0x0000000003F30000-0x0000000003F31000-memory.dmp

Filesize
4KB

Download
memory/2440-12-0x0000000000400000-0x0000000003751000-memory.dmp

Filesize
51.3MB

Download
memory/2440-33-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2440-45-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2440-55-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2440-53-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2440-51-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2440-49-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2440-47-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2440-62-0x0000000000400000-0x0000000003751000-memory.dmp

Filesize
51.3MB

Download
memory/2440-43-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2440-41-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2440-63-0x0000000005D90000-0x000000000657D000-memory.dmp

Filesize
7.9MB

Download
memory/2440-39-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2440-37-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2440-35-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2440-31-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2440-27-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2440-25-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2440-24-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2440-15-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2440-14-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2440-13-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2440-29-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2440-21-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2440-19-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2440-17-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2440-129-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2440-128-0x0000000000E6E000-0x0000000001EAB000-memory.dmp

Filesize
16.2MB

Download
memory/2440-130-0x0000000000400000-0x0000000003751000-memory.dmp

Filesize
51.3MB

Download
memory/2440-131-0x0000000000400000-0x0000000003751000-memory.dmp

Filesize
51.3MB

Download
memory/3492-137-0x0000000003A40000-0x0000000003A41000-memory.dmp

Filesize
4KB

Download
memory/3492-141-0x0000000003D80000-0x0000000003D81000-memory.dmp

Filesize
4KB

Download
memory/3492-140-0x0000000003D70000-0x0000000003D71000-memory.dmp

Filesize
4KB

Download
memory/3492-139-0x0000000003A60000-0x0000000003A61000-memory.dmp

Filesize
4KB

Download
memory/3492-138-0x0000000003A50000-0x0000000003A51000-memory.dmp

Filesize
4KB

Download
memory/3492-136-0x0000000003A10000-0x0000000003A11000-memory.dmp

Filesize
4KB

Download
memory/3492-135-0x0000000003A00000-0x0000000003A01000-memory.dmp

Filesize
4KB

Download
memory/3492-134-0x00000000039F0000-0x00000000039F1000-memory.dmp

Filesize
4KB

Download