f74bed37ff39840cd200c8ef355cba1e33495eeb4b2775b60c7c27a161198e90

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18-08-2024 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pynacl/91787447.exe
Size

6.5MB
MD5

382d8a9708f98439d3c296793d63678b
SHA1

5f90f54af337a01024a304f408fad2f0de3e1c1e
SHA256

9178744797c11ca97840d5cf988b386f717fc5bedd19c125c0bff3d3e00e7816
SHA512

5f6634fa837a1df802fa0244591cd67301ce67ef4d13630f93830f7288bdc6c5ff544a66c638071b7235245629f00c477d56fd3edf0d0c61a70fb65d9c02d496
SSDEEP

196608:dvhQx028VugjZmEO6AyN/CBI5GnCeQHBxjsTnS1oebw:dJK02mb/xCixAe3c

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral5/memory/2136-1-0x0000000000B00000-0x00000000017B6000-memory.dmp	upx
behavioral5/memory/2136-5-0x0000000000B00000-0x00000000017B6000-memory.dmp	upx
behavioral5/memory/2136-6-0x0000000000B00000-0x00000000017B6000-memory.dmp	upx
behavioral5/memory/2136-7-0x0000000000B00000-0x00000000017B6000-memory.dmp	upx
behavioral5/memory/2136-8-0x0000000000B00000-0x00000000017B6000-memory.dmp	upx
behavioral5/memory/2136-9-0x0000000000B00000-0x00000000017B6000-memory.dmp	upx
behavioral5/memory/2136-10-0x0000000000B00000-0x00000000017B6000-memory.dmp	upx
behavioral5/memory/2136-11-0x0000000000B00000-0x00000000017B6000-memory.dmp	upx
behavioral5/memory/2136-12-0x0000000000B00000-0x00000000017B6000-memory.dmp	upx
behavioral5/memory/2136-13-0x0000000000B00000-0x00000000017B6000-memory.dmp	upx
behavioral5/memory/2136-14-0x0000000000B00000-0x00000000017B6000-memory.dmp	upx
behavioral5/memory/2136-15-0x0000000000B00000-0x00000000017B6000-memory.dmp	upx
behavioral5/memory/2136-16-0x0000000000B00000-0x00000000017B6000-memory.dmp	upx
behavioral5/memory/2136-17-0x0000000000B00000-0x00000000017B6000-memory.dmp	upx
behavioral5/memory/2136-18-0x0000000000B00000-0x00000000017B6000-memory.dmp	upx
behavioral5/memory/2136-19-0x0000000000B00000-0x00000000017B6000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\XCGUI.dll	91787447.exe

Loads dropped DLL 1 IoCs

pid	Process
2136	91787447.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2508	taskkill.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	2136	91787447.exe
Token: SeDebugPrivilege	2136	91787447.exe
Token: SeBackupPrivilege	2136	91787447.exe
Token: SeSystemtimePrivilege	2136	91787447.exe
Token: SeDebugPrivilege	2508	taskkill.exe
Token: SeSystemtimePrivilege	2136	91787447.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2508	2136	91787447.exe	31
PID 2136 wrote to memory of 2508	2136	91787447.exe	31
PID 2136 wrote to memory of 2508	2136	91787447.exe	31

C:\Users\Admin\AppData\Local\Temp\pynacl\91787447.exe
"C:\Users\Admin\AppData\Local\Temp\pynacl\91787447.exe"
1⤵
- Drops file in System32 directory
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\system32\taskkill.exe
  taskkill /f /im regedit.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2508

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\System32\XCGUI.dll

Filesize
2.8MB

MD5
d177a2197326011de932f84f690b6786

SHA1
61b69cecefa2e3dbf3a9b92bcc44e003f107d1b5

SHA256
ff176d09f18d8c7cea79a9542201931802c60a26d8ae88b2b3e23216a5f59881

SHA512
1de88b2aa908e4a2724cbc4f3240b01731aa86e79240c69687453fc7f5fe41020bb91d5484b9da48eb8b8c723ae7065e2a6b35b951f54bd9156182c3b7b4d6ec

Download Submit
memory/2136-1-0x0000000000B00000-0x00000000017B6000-memory.dmp

Filesize
12.7MB

Download
memory/2136-5-0x0000000000B00000-0x00000000017B6000-memory.dmp

Filesize
12.7MB

Download
memory/2136-6-0x0000000000B00000-0x00000000017B6000-memory.dmp

Filesize
12.7MB

Download
memory/2136-7-0x0000000000B00000-0x00000000017B6000-memory.dmp

Filesize
12.7MB

Download
memory/2136-8-0x0000000000B00000-0x00000000017B6000-memory.dmp

Filesize
12.7MB

Download
memory/2136-9-0x0000000000B00000-0x00000000017B6000-memory.dmp

Filesize
12.7MB

Download
memory/2136-10-0x0000000000B00000-0x00000000017B6000-memory.dmp

Filesize
12.7MB

Download
memory/2136-11-0x0000000000B00000-0x00000000017B6000-memory.dmp

Filesize
12.7MB

Download
memory/2136-12-0x0000000000B00000-0x00000000017B6000-memory.dmp

Filesize
12.7MB

Download
memory/2136-13-0x0000000000B00000-0x00000000017B6000-memory.dmp

Filesize
12.7MB

Download
memory/2136-14-0x0000000000B00000-0x00000000017B6000-memory.dmp

Filesize
12.7MB

Download
memory/2136-15-0x0000000000B00000-0x00000000017B6000-memory.dmp

Filesize
12.7MB

Download
memory/2136-16-0x0000000000B00000-0x00000000017B6000-memory.dmp

Filesize
12.7MB

Download
memory/2136-17-0x0000000000B00000-0x00000000017B6000-memory.dmp

Filesize
12.7MB

Download
memory/2136-18-0x0000000000B00000-0x00000000017B6000-memory.dmp

Filesize
12.7MB

Download
memory/2136-19-0x0000000000B00000-0x00000000017B6000-memory.dmp

Filesize
12.7MB

Download