f74bed37ff39840cd200c8ef355cba1e33495eeb4b2775b60c7c27a161198e90

Analysis

max time kernel
140s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pynacl/91787447.exe
Size

6.5MB
MD5

382d8a9708f98439d3c296793d63678b
SHA1

5f90f54af337a01024a304f408fad2f0de3e1c1e
SHA256

9178744797c11ca97840d5cf988b386f717fc5bedd19c125c0bff3d3e00e7816
SHA512

5f6634fa837a1df802fa0244591cd67301ce67ef4d13630f93830f7288bdc6c5ff544a66c638071b7235245629f00c477d56fd3edf0d0c61a70fb65d9c02d496
SSDEEP

196608:dvhQx028VugjZmEO6AyN/CBI5GnCeQHBxjsTnS1oebw:dJK02mb/xCixAe3c

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral6/memory/2484-0-0x00000000003D0000-0x0000000001086000-memory.dmp	upx
behavioral6/memory/2484-5-0x00000000003D0000-0x0000000001086000-memory.dmp	upx
behavioral6/memory/2484-6-0x00000000003D0000-0x0000000001086000-memory.dmp	upx
behavioral6/memory/2484-7-0x00000000003D0000-0x0000000001086000-memory.dmp	upx
behavioral6/memory/2484-8-0x00000000003D0000-0x0000000001086000-memory.dmp	upx
behavioral6/memory/2484-9-0x00000000003D0000-0x0000000001086000-memory.dmp	upx
behavioral6/memory/2484-10-0x00000000003D0000-0x0000000001086000-memory.dmp	upx
behavioral6/memory/2484-11-0x00000000003D0000-0x0000000001086000-memory.dmp	upx
behavioral6/memory/2484-12-0x00000000003D0000-0x0000000001086000-memory.dmp	upx
behavioral6/memory/2484-13-0x00000000003D0000-0x0000000001086000-memory.dmp	upx
behavioral6/memory/2484-14-0x00000000003D0000-0x0000000001086000-memory.dmp	upx
behavioral6/memory/2484-15-0x00000000003D0000-0x0000000001086000-memory.dmp	upx
behavioral6/memory/2484-16-0x00000000003D0000-0x0000000001086000-memory.dmp	upx
behavioral6/memory/2484-17-0x00000000003D0000-0x0000000001086000-memory.dmp	upx
behavioral6/memory/2484-18-0x00000000003D0000-0x0000000001086000-memory.dmp	upx
behavioral6/memory/2484-19-0x00000000003D0000-0x0000000001086000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\XCGUI.dll	91787447.exe

Loads dropped DLL 1 IoCs

pid	Process
2484	91787447.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4840	taskkill.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	2484	91787447.exe
Token: SeDebugPrivilege	2484	91787447.exe
Token: SeBackupPrivilege	2484	91787447.exe
Token: SeSystemtimePrivilege	2484	91787447.exe
Token: SeSystemtimePrivilege	2484	91787447.exe
Token: SeDebugPrivilege	4840	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2484	91787447.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 4840	2484	91787447.exe	87
PID 2484 wrote to memory of 4840	2484	91787447.exe	87

C:\Users\Admin\AppData\Local\Temp\pynacl\91787447.exe
"C:\Users\Admin\AppData\Local\Temp\pynacl\91787447.exe"
1⤵
- Drops file in System32 directory
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\system32\taskkill.exe
  taskkill /f /im regedit.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\XCGUI.dll

Filesize
2.8MB

MD5
d177a2197326011de932f84f690b6786

SHA1
61b69cecefa2e3dbf3a9b92bcc44e003f107d1b5

SHA256
ff176d09f18d8c7cea79a9542201931802c60a26d8ae88b2b3e23216a5f59881

SHA512
1de88b2aa908e4a2724cbc4f3240b01731aa86e79240c69687453fc7f5fe41020bb91d5484b9da48eb8b8c723ae7065e2a6b35b951f54bd9156182c3b7b4d6ec

Download Submit
memory/2484-11-0x00000000003D0000-0x0000000001086000-memory.dmp

Filesize
12.7MB

Download
memory/2484-10-0x00000000003D0000-0x0000000001086000-memory.dmp

Filesize
12.7MB

Download
memory/2484-6-0x00000000003D0000-0x0000000001086000-memory.dmp

Filesize
12.7MB

Download
memory/2484-7-0x00000000003D0000-0x0000000001086000-memory.dmp

Filesize
12.7MB

Download
memory/2484-12-0x00000000003D0000-0x0000000001086000-memory.dmp

Filesize
12.7MB

Download
memory/2484-9-0x00000000003D0000-0x0000000001086000-memory.dmp

Filesize
12.7MB

Download
memory/2484-5-0x00000000003D0000-0x0000000001086000-memory.dmp

Filesize
12.7MB

Download
memory/2484-0-0x00000000003D0000-0x0000000001086000-memory.dmp

Filesize
12.7MB

Download
memory/2484-8-0x00000000003D0000-0x0000000001086000-memory.dmp

Filesize
12.7MB

Download
memory/2484-13-0x00000000003D0000-0x0000000001086000-memory.dmp

Filesize
12.7MB

Download
memory/2484-14-0x00000000003D0000-0x0000000001086000-memory.dmp

Filesize
12.7MB

Download
memory/2484-15-0x00000000003D0000-0x0000000001086000-memory.dmp

Filesize
12.7MB

Download
memory/2484-16-0x00000000003D0000-0x0000000001086000-memory.dmp

Filesize
12.7MB

Download
memory/2484-17-0x00000000003D0000-0x0000000001086000-memory.dmp

Filesize
12.7MB

Download
memory/2484-18-0x00000000003D0000-0x0000000001086000-memory.dmp

Filesize
12.7MB

Download
memory/2484-19-0x00000000003D0000-0x0000000001086000-memory.dmp

Filesize
12.7MB

Download