87f878ca59e44316c88fc1ac09a595899c4717a415d5a5b8792a0e561d4e7f6f

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a763906d44e5ea389189e1dba72b7ea0N.exe
Size

72KB
MD5

a763906d44e5ea389189e1dba72b7ea0
SHA1

af6bcc5ee1dabd86be7113e8dfe8731a8d039a9c
SHA256

87f878ca59e44316c88fc1ac09a595899c4717a415d5a5b8792a0e561d4e7f6f
SHA512

9a8d3090d0b7934fca1a0be65de7ca5d50beb79fd9a257a6de2a0110ff8752335a4c82ac45ac587bb3d19d2dcd38a510cfa4acb88509bc488af7928a418c0a7f
SSDEEP

1536:yMp8CyThXLmVyuV7GNKLkjP5zuSQxIF3+ftQSK5Rv7:yMuZTQISGCuPFF8Q3+Cv5RD

Score

7^/10

discovery upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2756	Sysceamflmsp.exe

Executes dropped EXE 1 IoCs

pid	Process
2756	Sysceamflmsp.exe

Loads dropped DLL 2 IoCs

pid	Process
2380	a763906d44e5ea389189e1dba72b7ea0N.exe
2380	a763906d44e5ea389189e1dba72b7ea0N.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2380-0-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/files/0x0008000000015e47-10.dat	upx
behavioral1/memory/2756-19-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2380-12-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2756-24-0x0000000000400000-0x0000000000466000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a763906d44e5ea389189e1dba72b7ea0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe
2756	Sysceamflmsp.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2756	2380	a763906d44e5ea389189e1dba72b7ea0N.exe	31
PID 2380 wrote to memory of 2756	2380	a763906d44e5ea389189e1dba72b7ea0N.exe	31
PID 2380 wrote to memory of 2756	2380	a763906d44e5ea389189e1dba72b7ea0N.exe	31
PID 2380 wrote to memory of 2756	2380	a763906d44e5ea389189e1dba72b7ea0N.exe	31

C:\Users\Admin\AppData\Local\Temp\a763906d44e5ea389189e1dba72b7ea0N.exe
"C:\Users\Admin\AppData\Local\Temp\a763906d44e5ea389189e1dba72b7ea0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\Sysceamflmsp.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamflmsp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
71B

MD5
60a041b3716e4a91ca626326f776796c

SHA1
e6e029474a8c2c965c28181863cf8e59b36bc1a0

SHA256
039b95ac920e8519cbd91e852a52112ea5f6e7cc47b2dd23de6d5b4d7f44d3a8

SHA512
2d00d84a4fe4656d603e514a4b6d90150cd9b841b9ce15d5e7969071197ca65e515a8b88c5eb1f7b36ad200a9ea6b562afc48fcbd1bfe33c5263b84845c2f4ad

Download Submit
\Users\Admin\AppData\Local\Temp\Sysceamflmsp.exe

Filesize
72KB

MD5
4bdd2032ec43451e48d7fd8f8cdd269c

SHA1
959e6eedf03a6ad35a694a79ce0d25b3e634491a

SHA256
fb5907c3247350d38b5ac79ff0fc4ef2ab2ee31ef9322a40834c783421ac04c5

SHA512
09eed602bb6579fd827ae744ca51eda42a32ae5bc724a6ac2e860d7c839526684c7d47cb8a22a1ef6a2fad7358685df76c8a9ff16f521b6b67f09af6a390c5ac

Download Submit
memory/2380-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2380-17-0x0000000003A00000-0x0000000003A66000-memory.dmp

Filesize
408KB

Download
memory/2380-12-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2756-19-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2756-24-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download