Analysis
-
max time kernel
51s -
max time network
35s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 18:25
Behavioral task
behavioral1
Sample
upx.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
60 seconds
General
-
Target
upx.exe
-
Size
14.8MB
-
MD5
f455be9af5edfdb2a3ea974d743f91b6
-
SHA1
8a4bab4f65c3b1c54f58786c67d94f900e5cd0b0
-
SHA256
ca048c463dcdf91e84ddc260bc0cadb6b0d8a68f92dc527c4038f7a6ab7c32b4
-
SHA512
98248a6e03084b7df36bbdca5cc0d0d01ad5f4d83a86fb9d6235d8b692bafeaee0c361b905a05289e91457b829d2cc9a3afe28516c7b84387e3710891ea1db1c
-
SSDEEP
196608:+itOI01DSfgMh0DVL6MzfCmMIEtVzxHejiO9rMyORk:+iUI4DYoLjCVtthxHdyOi
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe" upx.exe -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 1240 taskmgr.exe 1240 taskmgr.exe 1240 taskmgr.exe 1240 taskmgr.exe 1240 taskmgr.exe 1240 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2164 upx.exe Token: SeDebugPrivilege 4884 taskmgr.exe Token: SeSystemProfilePrivilege 4884 taskmgr.exe Token: SeCreateGlobalPrivilege 4884 taskmgr.exe Token: 33 4884 taskmgr.exe Token: SeIncBasePriorityPrivilege 4884 taskmgr.exe Token: SeDebugPrivilege 4208 taskmgr.exe Token: SeSystemProfilePrivilege 4208 taskmgr.exe Token: SeCreateGlobalPrivilege 4208 taskmgr.exe Token: 33 4208 taskmgr.exe Token: SeIncBasePriorityPrivilege 4208 taskmgr.exe Token: SeDebugPrivilege 1240 taskmgr.exe Token: SeSystemProfilePrivilege 1240 taskmgr.exe Token: SeCreateGlobalPrivilege 1240 taskmgr.exe Token: 33 1240 taskmgr.exe Token: SeIncBasePriorityPrivilege 1240 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4884 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe 4208 taskmgr.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2164 wrote to memory of 3708 2164 upx.exe 84 PID 2164 wrote to memory of 3708 2164 upx.exe 84 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 3708 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\upx.exe"C:\Users\Admin\AppData\Local\Temp\upx.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\system32\attrib.exeattrib +h +s C:\Users\Admin\AppData\Local\Temp\upx.exe2⤵
- Views/modifies file attributes
PID:3708
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4884
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2648
-
C:\Windows\System32\ljh0xx.exe"C:\Windows\System32\ljh0xx.exe"1⤵PID:4600
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4208
-
C:\Windows\System32\ljh0xx.exe"C:\Windows\System32\ljh0xx.exe"1⤵PID:1144
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1240
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
5.6MB
MD5ef5a59c1298ca92a663e7554da18fa61
SHA117a6c8f812343b3e87fe896e5a38672dbdcc5200
SHA256e4c21d7d81b918c26adfafbf55e2acd7aa37f315a959b7f519b2efedbe6a0e0f
SHA512c71fea760ad1f2ac42c55b68cba9440dca0132aa824ca0052c120e52c378a969acac35fe4a41d0a192521df6115d67cb3a8c58cd9a86cbcb8a522eea612f2804