be94526611d6f5597ff276d439a5bad8c6b414607066e68cf2abb24651c674bd

General

Target

be94526611d6f5597ff276d439a5bad8c6b414607066e68cf2abb24651c674bd.exe
Size

828KB
MD5

72700cb0d075d477bb06c4b939f9b3a6
SHA1

856102b4864ec296f7ea50b607935da5f9a4e102
SHA256

be94526611d6f5597ff276d439a5bad8c6b414607066e68cf2abb24651c674bd
SHA512

b39a4ba2dfb6fba8306cd115872721c6a185cc763dd13791154b3109242853bc921162e3533f9ba5cfe0d41f54774c4d03d1b91509772ba02dcf059adcd7eea7

Score

10^/10

persistence suricata upx

Malware Config

Signatures

suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/964-64-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/964-65-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/964-61-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/964-55-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/964-66-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

be94526611d6f5597ff276d439a5bad8c6b414607066e68cf2abb24651c674bd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\4b7656a384744932c669fd2c0fe50764 = "regsvr32.exe /s /n /u /i:\"C:\\Users\\Admin\\AppData\\Roaming\\NV8QLELF0U.txt\" scrobj.dll."	be94526611d6f5597ff276d439a5bad8c6b414607066e68cf2abb24651c674bd.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

be94526611d6f5597ff276d439a5bad8c6b414607066e68cf2abb24651c674bd.exe

description	pid	process	target process
PID 2012 set thread context of 964	2012	be94526611d6f5597ff276d439a5bad8c6b414607066e68cf2abb24651c674bd.exe	be94526611d6f5597ff276d439a5bad8c6b414607066e68cf2abb24651c674bd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

be94526611d6f5597ff276d439a5bad8c6b414607066e68cf2abb24651c674bd.exe

pid	process
2012	be94526611d6f5597ff276d439a5bad8c6b414607066e68cf2abb24651c674bd.exe
2012	be94526611d6f5597ff276d439a5bad8c6b414607066e68cf2abb24651c674bd.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

be94526611d6f5597ff276d439a5bad8c6b414607066e68cf2abb24651c674bd.exe

description	pid	process	target process
PID 2012 wrote to memory of 964	2012	be94526611d6f5597ff276d439a5bad8c6b414607066e68cf2abb24651c674bd.exe	be94526611d6f5597ff276d439a5bad8c6b414607066e68cf2abb24651c674bd.exe
PID 2012 wrote to memory of 964	2012	be94526611d6f5597ff276d439a5bad8c6b414607066e68cf2abb24651c674bd.exe	be94526611d6f5597ff276d439a5bad8c6b414607066e68cf2abb24651c674bd.exe
PID 2012 wrote to memory of 964	2012	be94526611d6f5597ff276d439a5bad8c6b414607066e68cf2abb24651c674bd.exe	be94526611d6f5597ff276d439a5bad8c6b414607066e68cf2abb24651c674bd.exe
PID 2012 wrote to memory of 964	2012	be94526611d6f5597ff276d439a5bad8c6b414607066e68cf2abb24651c674bd.exe	be94526611d6f5597ff276d439a5bad8c6b414607066e68cf2abb24651c674bd.exe
PID 2012 wrote to memory of 964	2012	be94526611d6f5597ff276d439a5bad8c6b414607066e68cf2abb24651c674bd.exe	be94526611d6f5597ff276d439a5bad8c6b414607066e68cf2abb24651c674bd.exe

C:\Users\Admin\AppData\Local\Temp\be94526611d6f5597ff276d439a5bad8c6b414607066e68cf2abb24651c674bd.exe
"C:\Users\Admin\AppData\Local\Temp\be94526611d6f5597ff276d439a5bad8c6b414607066e68cf2abb24651c674bd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Temp\be94526611d6f5597ff276d439a5bad8c6b414607066e68cf2abb24651c674bd.exe
C:\Users\Admin\AppData\Local\Temp\be94526611d6f5597ff276d439a5bad8c6b414607066e68cf2abb24651c674bd.exe
2⤵
- Adds Run key to start application
PID:964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/964-60-0x000000000045AEC0-mapping.dmp

Download
memory/964-64-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/964-65-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/964-61-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/964-55-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/964-66-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2012-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download
memory/2012-62-0x0000000000680000-0x0000000000690000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads