dfde4df8173b90daa38575d60c96bfc157e045a04e16e46bf073a64fdfd1285e

Analysis

max time kernel
152s
max time network
155s
platform
windows7_x64
resource
win7-20220414-en
submitted
09-06-2022 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

113ac743212e56ac38d22182d7b38385.exe
Size

196KB
MD5

113ac743212e56ac38d22182d7b38385
SHA1

f1098d33d3fe81e370ea1d75096f51d3bebcd855
SHA256

dfde4df8173b90daa38575d60c96bfc157e045a04e16e46bf073a64fdfd1285e
SHA512

ea3f71ea5a135c96a8b768ad4c1f5405892c28ec148981608de2433fdaca3bd80b2c90af5a39c9e67603829fabd1c60b11023511cc56f1d2d0106c747788c320

Score

10^/10

persistence suricata upx

Malware Config

Signatures

suricata: ET MALWARE Backdoor.Win32.Pushdo.s Checkin
suricata: ET MALWARE Backdoor.Win32.Pushdo.s Checkin
suricata
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1848-60-0x0000000004000000-0x0000000004215000-memory.dmp	upx
behavioral1/memory/1548-68-0x0000000004000000-0x0000000004218000-memory.dmp	upx
behavioral1/memory/1848-69-0x0000000004000000-0x0000000004215000-memory.dmp	upx
behavioral1/memory/1848-73-0x0000000004000000-0x0000000004215000-memory.dmp	upx
behavioral1/memory/1720-78-0x0000000004000000-0x000000000408E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exesvchost.exe113ac743212e56ac38d22182d7b38385.exesvchost.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Regedit32 = "C:\\Windows\\system32\\regedit.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Regedit32 = "C:\\Windows\\system32\\regedit.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\tibqanobatib = "C:\\Users\\Admin\\tibqanobatib.exe"	113ac743212e56ac38d22182d7b38385.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Regedit32 = "C:\\Windows\\system32\\regedit.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Regedit32 = "C:\\Windows\\system32\\regedit.exe"	svchost.exe

Suspicious use of SetThreadContext 11 IoCs

Processes:

113ac743212e56ac38d22182d7b38385.exesvchost.exesvchost.exe

description	pid	process	target process
PID 1864 set thread context of 1848	1864	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 1864 set thread context of 1548	1864	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 1864 set thread context of 1720	1864	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 1548 set thread context of 1940	1548	svchost.exe	svchost.exe
PID 1848 set thread context of 828	1848	svchost.exe	svchost.exe
PID 1548 set thread context of 884	1548	svchost.exe	svchost.exe
PID 1848 set thread context of 1656	1848	svchost.exe	svchost.exe
PID 1548 set thread context of 696	1548	svchost.exe	svchost.exe
PID 1548 set thread context of 1616	1548	svchost.exe	svchost.exe
PID 1848 set thread context of 280	1848	svchost.exe	svchost.exe
PID 1848 set thread context of 2724	1848	svchost.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

113ac743212e56ac38d22182d7b38385.exe

pid process

1864 113ac743212e56ac38d22182d7b38385.exe

pid	process
1864	113ac743212e56ac38d22182d7b38385.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

113ac743212e56ac38d22182d7b38385.exesvchost.exesvchost.exe

description	pid	process	target process
PID 1864 wrote to memory of 1848	1864	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 1864 wrote to memory of 1848	1864	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 1864 wrote to memory of 1848	1864	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 1864 wrote to memory of 1848	1864	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 1864 wrote to memory of 1848	1864	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 1864 wrote to memory of 1848	1864	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 1864 wrote to memory of 1548	1864	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 1864 wrote to memory of 1548	1864	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 1864 wrote to memory of 1548	1864	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 1864 wrote to memory of 1548	1864	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 1864 wrote to memory of 1548	1864	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 1864 wrote to memory of 1548	1864	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 1864 wrote to memory of 1720	1864	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 1864 wrote to memory of 1720	1864	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 1864 wrote to memory of 1720	1864	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 1864 wrote to memory of 1720	1864	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 1548 wrote to memory of 1940	1548	svchost.exe	svchost.exe
PID 1548 wrote to memory of 1940	1548	svchost.exe	svchost.exe
PID 1548 wrote to memory of 1940	1548	svchost.exe	svchost.exe
PID 1548 wrote to memory of 1940	1548	svchost.exe	svchost.exe
PID 1864 wrote to memory of 1720	1864	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 1864 wrote to memory of 1720	1864	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 1848 wrote to memory of 828	1848	svchost.exe	svchost.exe
PID 1848 wrote to memory of 828	1848	svchost.exe	svchost.exe
PID 1848 wrote to memory of 828	1848	svchost.exe	svchost.exe
PID 1848 wrote to memory of 828	1848	svchost.exe	svchost.exe
PID 1548 wrote to memory of 1940	1548	svchost.exe	svchost.exe
PID 1548 wrote to memory of 1940	1548	svchost.exe	svchost.exe
PID 1548 wrote to memory of 1940	1548	svchost.exe	svchost.exe
PID 1548 wrote to memory of 884	1548	svchost.exe	svchost.exe
PID 1548 wrote to memory of 884	1548	svchost.exe	svchost.exe
PID 1548 wrote to memory of 884	1548	svchost.exe	svchost.exe
PID 1548 wrote to memory of 884	1548	svchost.exe	svchost.exe
PID 1848 wrote to memory of 828	1848	svchost.exe	svchost.exe
PID 1848 wrote to memory of 828	1848	svchost.exe	svchost.exe
PID 1548 wrote to memory of 884	1548	svchost.exe	svchost.exe
PID 1548 wrote to memory of 884	1548	svchost.exe	svchost.exe
PID 1848 wrote to memory of 828	1848	svchost.exe	svchost.exe
PID 1848 wrote to memory of 1656	1848	svchost.exe	svchost.exe
PID 1848 wrote to memory of 1656	1848	svchost.exe	svchost.exe
PID 1848 wrote to memory of 1656	1848	svchost.exe	svchost.exe
PID 1848 wrote to memory of 1656	1848	svchost.exe	svchost.exe
PID 1548 wrote to memory of 884	1548	svchost.exe	svchost.exe
PID 1548 wrote to memory of 696	1548	svchost.exe	svchost.exe
PID 1548 wrote to memory of 696	1548	svchost.exe	svchost.exe
PID 1548 wrote to memory of 696	1548	svchost.exe	svchost.exe
PID 1548 wrote to memory of 696	1548	svchost.exe	svchost.exe
PID 1848 wrote to memory of 1656	1848	svchost.exe	svchost.exe
PID 1848 wrote to memory of 1656	1848	svchost.exe	svchost.exe
PID 1548 wrote to memory of 696	1548	svchost.exe	svchost.exe
PID 1548 wrote to memory of 696	1548	svchost.exe	svchost.exe
PID 1848 wrote to memory of 1656	1848	svchost.exe	svchost.exe
PID 1848 wrote to memory of 280	1848	svchost.exe	svchost.exe
PID 1848 wrote to memory of 280	1848	svchost.exe	svchost.exe
PID 1848 wrote to memory of 280	1848	svchost.exe	svchost.exe
PID 1848 wrote to memory of 280	1848	svchost.exe	svchost.exe
PID 1548 wrote to memory of 696	1548	svchost.exe	svchost.exe
PID 1548 wrote to memory of 1616	1548	svchost.exe	svchost.exe
PID 1548 wrote to memory of 1616	1548	svchost.exe	svchost.exe
PID 1548 wrote to memory of 1616	1548	svchost.exe	svchost.exe
PID 1548 wrote to memory of 1616	1548	svchost.exe	svchost.exe
PID 1548 wrote to memory of 1616	1548	svchost.exe	svchost.exe
PID 1548 wrote to memory of 1616	1548	svchost.exe	svchost.exe
PID 1848 wrote to memory of 280	1848	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\113ac743212e56ac38d22182d7b38385.exe
"C:\Users\Admin\AppData\Local\Temp\113ac743212e56ac38d22182d7b38385.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Adds Run key to start application
PID:828

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Adds Run key to start application
PID:1656

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Adds Run key to start application
PID:280

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Adds Run key to start application
PID:2724

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:1720

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1940

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:884

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:696

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8ZIBDOTB.txt

Filesize
219B

MD5
f32e1d04f758ae4a3cd3141092274c98

SHA1
0bc8d911479fb0f9a95d6e50f915bbab53901e3a

SHA256
b281b4d885aa7a6be5e4c5ed15ca5b91614afb23808ad9db8c45c6193f1fe26f

SHA512
bb43b305983f0af654f59b6fe523d281b5a8d8a1991d5a4be637f6f672c0dbbaeb8a33704340fd6180567174cfa7730165792cfdb40eab0c8bd76c8d98698257

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AR2N5G24.txt

Filesize
85B

MD5
60e2371a98222ac1a04bc86e3ef6dd77

SHA1
7c3be14b46231e60e3ed78c53fc314578c9886ce

SHA256
75d9578abd8e516fac390198f8d6a1e3704ec989100b0f3e7a873f1d70fcc27a

SHA512
c1a4d324793f6349bae3c47bba2d696bc440dbcad6cabd863217454e9008b464da07afdf36e53ed1ec463fd09f9cfee2d896bbe6b2fe343b77cb8a87aa8be70c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\D0AC0DDT.txt

Filesize
176B

MD5
3d210449934f114e15e8cae4741f8c6f

SHA1
0186e11c2a41f13dd591601df8efdd53f2cf2968

SHA256
fd388943216c00c6c97472576ff0e7d91abaa6044234b77b3b17171c799e9afd

SHA512
456cac71a35d46867f78e57b2d4f3226df04c04def5d7ea69953b1541c512936078e6b7f020a3d684da2de8e152ab5541a078ddb66596f013d6a51fae855030c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\J16K2785.txt

Filesize
178B

MD5
90fe05402c8bcd201e7ff07ffed15d9c

SHA1
ded25d6594b97641e3732feee8e453a653ec3841

SHA256
ada7e3b7f027471aea0bb504cf0a2b6a2186cb74e2b2c88babebb7f74d0e6035

SHA512
e61505af24243224ca4925a979330d9549d02a474993d2da7fe9623302774a08e1d0a125ac536e93dce9e3d667f324f354a59c364f609ebdb7592a426d68f6e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LU0GKZ3D.txt

Filesize
176B

MD5
ff20f30a7f971a399acb8e5580196fc6

SHA1
0c7909014514ec0ba910093cf2ef6802c3d4f85a

SHA256
545ca427e6c37d9def17346b228e7194d9bd7af674d9400e453e65be4269f5a6

SHA512
80b8703866a918c1ca42adcc11312b839787eea4b78b55a1249345f245599178a095e60e3c69f8e49faf83bc1bd60db4ff2ff3dc47f99a5b3b85aec99fc7169f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MCDHE18Y.txt

Filesize
176B

MD5
7f168aefed057c3bbe4ab87dda0ad64f

SHA1
296c287661f715ad2087ae5cb00f9242d8d5fe24

SHA256
8e1ab40b1c7337e5e4ca56f227cefb6e414fae16088c728d7c22fca920d2c86d

SHA512
96224374add861691d00e65221bc393313d66b1f0c2c6a464bbe189b0f965c9276d87824367f805f498432e17374c130b7512f5650f2875a1aa88388de71c67a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\N6601U2L.txt

Filesize
178B

MD5
5af25ad2e240898cbe4943bcc2e4df96

SHA1
104dd99582b25f0816b5b6de064b34d949d357e5

SHA256
629d2009f16353b8c7b716612048e65417d4613a024a0a3b8da3cb5086493c25

SHA512
97277a711310e6261990bc5a0e5a59fda6d7f3344b3608fa3ae53c7620924d4fb98e0906b8ad63afbb36fc513ff24311a266a3f907c39a797ca890c6ab364660

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OBN1B75P.txt

Filesize
86B

MD5
a409bd434f94f0d5c9887c910cc020d2

SHA1
46a27a69c982232842c56807b25d61ace21c47c3

SHA256
e22eb029df3441e0e94f3336d85a3bb1c79a922fae990693fd73abeb0063d9e2

SHA512
6dd2a017a32d1c80a512018473205841e92a45dfdeb0b61e9319e3fcec9ff3cd431444b24f22c8ed72987acd66793202ffa2817f082a767f0dfb1234d2e1ef37

Download Submit
memory/280-135-0x0000000013143509-mapping.dmp

Download
memory/280-163-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/280-164-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/280-128-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/696-143-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/696-170-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/696-110-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/696-123-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/696-114-0x0000000013143529-mapping.dmp

Download
memory/696-145-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/828-168-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/828-107-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/828-88-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/828-90-0x0000000013143509-mapping.dmp

Download
memory/828-142-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/828-125-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/884-151-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/884-140-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/884-108-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/884-89-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/884-94-0x0000000013143519-mapping.dmp

Download
memory/1548-63-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1548-79-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1548-68-0x0000000004000000-0x0000000004218000-memory.dmp

Filesize
2.1MB

Download
memory/1548-65-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1548-66-0x0000000000401000-mapping.dmp

Download
memory/1616-146-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1616-154-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/1616-171-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1616-129-0x0000000013143529-mapping.dmp

Download
memory/1616-127-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1656-153-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1656-104-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1656-120-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1656-144-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/1656-109-0x0000000013143509-mapping.dmp

Download
memory/1720-80-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1720-78-0x0000000004000000-0x000000000408E000-memory.dmp

Filesize
568KB

Download
memory/1720-74-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1720-67-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1720-76-0x0000000000401000-mapping.dmp

Download
memory/1848-73-0x0000000004000000-0x0000000004215000-memory.dmp

Filesize
2.1MB

Download
memory/1848-69-0x0000000004000000-0x0000000004215000-memory.dmp

Filesize
2.1MB

Download
memory/1848-58-0x0000000004000000-0x0000000004215000-memory.dmp

Filesize
2.1MB

Download
memory/1848-60-0x0000000004000000-0x0000000004215000-memory.dmp

Filesize
2.1MB

Download
memory/1848-61-0x0000000004212E80-mapping.dmp

Download
memory/1864-56-0x0000000004000000-0x00000000044FB000-memory.dmp

Filesize
5.0MB

Download
memory/1864-162-0x0000000004000000-0x00000000044FB000-memory.dmp

Filesize
5.0MB

Download
memory/1864-161-0x000000000052F000-0x000000000053A000-memory.dmp

Filesize
44KB

Download
memory/1864-54-0x000000000052F000-0x000000000053A000-memory.dmp

Filesize
44KB

Download
memory/1864-57-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1864-55-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download
memory/1940-139-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1940-169-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1940-70-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1940-77-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1940-81-0x0000000013143504-mapping.dmp

Download
memory/1940-83-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/1940-141-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/1940-106-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/2724-166-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/2724-165-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/2724-155-0x0000000013143509-mapping.dmp

Download