dfde4df8173b90daa38575d60c96bfc157e045a04e16e46bf073a64fdfd1285e

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
09-06-2022 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

113ac743212e56ac38d22182d7b38385.exe
Size

196KB
MD5

113ac743212e56ac38d22182d7b38385
SHA1

f1098d33d3fe81e370ea1d75096f51d3bebcd855
SHA256

dfde4df8173b90daa38575d60c96bfc157e045a04e16e46bf073a64fdfd1285e
SHA512

ea3f71ea5a135c96a8b768ad4c1f5405892c28ec148981608de2433fdaca3bd80b2c90af5a39c9e67603829fabd1c60b11023511cc56f1d2d0106c747788c320

Score

10^/10

persistence suricata upx

Malware Config

Signatures

suricata: ET MALWARE Backdoor.Win32.Pushdo.s Checkin
suricata: ET MALWARE Backdoor.Win32.Pushdo.s Checkin
suricata
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1792-138-0x0000000004000000-0x0000000004218000-memory.dmp	upx
behavioral2/memory/2000-140-0x0000000004000000-0x0000000004215000-memory.dmp	upx
behavioral2/memory/2000-144-0x0000000004000000-0x0000000004215000-memory.dmp	upx
behavioral2/memory/2000-147-0x0000000004000000-0x0000000004215000-memory.dmp	upx
behavioral2/memory/5004-197-0x0000000004000000-0x000000000408E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exesvchost.exesvchost.exesvchost.exe113ac743212e56ac38d22182d7b38385.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Regedit32 = "C:\\Windows\\system32\\regedit.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Regedit32 = "C:\\Windows\\system32\\regedit.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Regedit32 = "C:\\Windows\\system32\\regedit.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Regedit32 = "C:\\Windows\\system32\\regedit.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tibqanobatib = "C:\\Users\\Admin\\tibqanobatib.exe"	113ac743212e56ac38d22182d7b38385.exe

Suspicious use of SetThreadContext 12 IoCs

Processes:

113ac743212e56ac38d22182d7b38385.exesvchost.exesvchost.exe

description	pid	process	target process
PID 4244 set thread context of 1792	4244	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 4244 set thread context of 2000	4244	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 1792 set thread context of 3560	1792	svchost.exe	svchost.exe
PID 4244 set thread context of 4100	4244	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 2000 set thread context of 4488	2000	svchost.exe	svchost.exe
PID 1792 set thread context of 1884	1792	svchost.exe	svchost.exe
PID 2000 set thread context of 5036	2000	svchost.exe	svchost.exe
PID 1792 set thread context of 4172	1792	svchost.exe	svchost.exe
PID 2000 set thread context of 3328	2000	svchost.exe	svchost.exe
PID 1792 set thread context of 4468	1792	svchost.exe	svchost.exe
PID 2000 set thread context of 4284	2000	svchost.exe	svchost.exe
PID 4244 set thread context of 5004	4244	113ac743212e56ac38d22182d7b38385.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

113ac743212e56ac38d22182d7b38385.exe

pid process

4244 113ac743212e56ac38d22182d7b38385.exe
4244 113ac743212e56ac38d22182d7b38385.exe

pid	process
4244	113ac743212e56ac38d22182d7b38385.exe
4244	113ac743212e56ac38d22182d7b38385.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

113ac743212e56ac38d22182d7b38385.exesvchost.exesvchost.exe

description	pid	process	target process
PID 4244 wrote to memory of 1792	4244	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 4244 wrote to memory of 1792	4244	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 4244 wrote to memory of 1792	4244	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 4244 wrote to memory of 1792	4244	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 4244 wrote to memory of 1792	4244	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 4244 wrote to memory of 2000	4244	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 4244 wrote to memory of 2000	4244	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 4244 wrote to memory of 2000	4244	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 4244 wrote to memory of 2000	4244	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 1792 wrote to memory of 3560	1792	svchost.exe	svchost.exe
PID 1792 wrote to memory of 3560	1792	svchost.exe	svchost.exe
PID 1792 wrote to memory of 3560	1792	svchost.exe	svchost.exe
PID 1792 wrote to memory of 3560	1792	svchost.exe	svchost.exe
PID 4244 wrote to memory of 2000	4244	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 1792 wrote to memory of 3560	1792	svchost.exe	svchost.exe
PID 4244 wrote to memory of 4100	4244	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 4244 wrote to memory of 4100	4244	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 4244 wrote to memory of 4100	4244	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 4244 wrote to memory of 4100	4244	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 4244 wrote to memory of 4100	4244	113ac743212e56ac38d22182d7b38385.exe	svchost.exe
PID 2000 wrote to memory of 4488	2000	svchost.exe	svchost.exe
PID 2000 wrote to memory of 4488	2000	svchost.exe	svchost.exe
PID 2000 wrote to memory of 4488	2000	svchost.exe	svchost.exe
PID 2000 wrote to memory of 4488	2000	svchost.exe	svchost.exe
PID 1792 wrote to memory of 3560	1792	svchost.exe	svchost.exe
PID 1792 wrote to memory of 1884	1792	svchost.exe	svchost.exe
PID 1792 wrote to memory of 1884	1792	svchost.exe	svchost.exe
PID 1792 wrote to memory of 1884	1792	svchost.exe	svchost.exe
PID 1792 wrote to memory of 1884	1792	svchost.exe	svchost.exe
PID 2000 wrote to memory of 4488	2000	svchost.exe	svchost.exe
PID 1792 wrote to memory of 1884	1792	svchost.exe	svchost.exe
PID 2000 wrote to memory of 4488	2000	svchost.exe	svchost.exe
PID 2000 wrote to memory of 5036	2000	svchost.exe	svchost.exe
PID 2000 wrote to memory of 5036	2000	svchost.exe	svchost.exe
PID 2000 wrote to memory of 5036	2000	svchost.exe	svchost.exe
PID 2000 wrote to memory of 5036	2000	svchost.exe	svchost.exe
PID 2000 wrote to memory of 5036	2000	svchost.exe	svchost.exe
PID 1792 wrote to memory of 1884	1792	svchost.exe	svchost.exe
PID 1792 wrote to memory of 4172	1792	svchost.exe	svchost.exe
PID 1792 wrote to memory of 4172	1792	svchost.exe	svchost.exe
PID 1792 wrote to memory of 4172	1792	svchost.exe	svchost.exe
PID 1792 wrote to memory of 4172	1792	svchost.exe	svchost.exe
PID 1792 wrote to memory of 4172	1792	svchost.exe	svchost.exe
PID 2000 wrote to memory of 5036	2000	svchost.exe	svchost.exe
PID 2000 wrote to memory of 3328	2000	svchost.exe	svchost.exe
PID 2000 wrote to memory of 3328	2000	svchost.exe	svchost.exe
PID 2000 wrote to memory of 3328	2000	svchost.exe	svchost.exe
PID 2000 wrote to memory of 3328	2000	svchost.exe	svchost.exe
PID 2000 wrote to memory of 3328	2000	svchost.exe	svchost.exe
PID 1792 wrote to memory of 4172	1792	svchost.exe	svchost.exe
PID 1792 wrote to memory of 4468	1792	svchost.exe	svchost.exe
PID 1792 wrote to memory of 4468	1792	svchost.exe	svchost.exe
PID 1792 wrote to memory of 4468	1792	svchost.exe	svchost.exe
PID 1792 wrote to memory of 4468	1792	svchost.exe	svchost.exe
PID 1792 wrote to memory of 4468	1792	svchost.exe	svchost.exe
PID 2000 wrote to memory of 3328	2000	svchost.exe	svchost.exe
PID 2000 wrote to memory of 4284	2000	svchost.exe	svchost.exe
PID 2000 wrote to memory of 4284	2000	svchost.exe	svchost.exe
PID 2000 wrote to memory of 4284	2000	svchost.exe	svchost.exe
PID 2000 wrote to memory of 4284	2000	svchost.exe	svchost.exe
PID 1792 wrote to memory of 4468	1792	svchost.exe	svchost.exe
PID 2000 wrote to memory of 4284	2000	svchost.exe	svchost.exe
PID 2000 wrote to memory of 4284	2000	svchost.exe	svchost.exe
PID 4244 wrote to memory of 5004	4244	113ac743212e56ac38d22182d7b38385.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\113ac743212e56ac38d22182d7b38385.exe
"C:\Users\Admin\AppData\Local\Temp\113ac743212e56ac38d22182d7b38385.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4244

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:3560

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1884

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:4172

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:4468

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:4100

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Adds Run key to start application
PID:3328

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Adds Run key to start application
PID:4284

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:5004

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
- Adds Run key to start application
PID:4488

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
- Adds Run key to start application
PID:5036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1792-138-0x0000000004000000-0x0000000004218000-memory.dmp

Filesize
2.1MB

Download
memory/1792-148-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1792-137-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1792-136-0x0000000000000000-mapping.dmp

Download
memory/1884-163-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1884-181-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1884-153-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1884-158-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1884-152-0x0000000000000000-mapping.dmp

Download
memory/1884-191-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/2000-139-0x0000000000000000-mapping.dmp

Download
memory/2000-140-0x0000000004000000-0x0000000004215000-memory.dmp

Filesize
2.1MB

Download
memory/2000-144-0x0000000004000000-0x0000000004215000-memory.dmp

Filesize
2.1MB

Download
memory/2000-147-0x0000000004000000-0x0000000004215000-memory.dmp

Filesize
2.1MB

Download
memory/3328-171-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/3328-178-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/3328-164-0x0000000000000000-mapping.dmp

Download
memory/3328-187-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/3328-186-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/3328-166-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/3560-141-0x0000000000000000-mapping.dmp

Download
memory/3560-172-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/3560-154-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/3560-165-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/3560-149-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/3560-142-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/4100-146-0x000000007F070000-0x000000007F09B000-memory.dmp

Filesize
172KB

Download
memory/4100-145-0x0000000000000000-mapping.dmp

Download
memory/4172-161-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/4172-185-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/4172-173-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/4172-167-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/4172-160-0x0000000000000000-mapping.dmp

Download
memory/4172-192-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/4244-130-0x0000000000431000-0x000000000043C000-memory.dmp

Filesize
44KB

Download
memory/4244-131-0x0000000002140000-0x0000000002153000-memory.dmp

Filesize
76KB

Download
memory/4244-133-0x0000000000431000-0x000000000043C000-memory.dmp

Filesize
44KB

Download
memory/4244-132-0x0000000004000000-0x00000000044FB000-memory.dmp

Filesize
5.0MB

Download
memory/4244-134-0x0000000002140000-0x0000000002153000-memory.dmp

Filesize
76KB

Download
memory/4244-135-0x0000000004000000-0x00000000044FB000-memory.dmp

Filesize
5.0MB

Download
memory/4284-183-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/4284-189-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/4284-180-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/4284-194-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/4284-174-0x0000000000000000-mapping.dmp

Download
memory/4284-177-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/4468-169-0x0000000000000000-mapping.dmp

Download
memory/4468-170-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/4468-179-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/4468-188-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/4468-176-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/4468-193-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/4488-151-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/4488-190-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/4488-155-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/4488-175-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/4488-150-0x0000000000000000-mapping.dmp

Download
memory/4488-159-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/5004-195-0x0000000000000000-mapping.dmp

Download
memory/5004-197-0x0000000004000000-0x000000000408E000-memory.dmp

Filesize
568KB

Download
memory/5004-198-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5036-156-0x0000000000000000-mapping.dmp

Download
memory/5036-184-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/5036-168-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/5036-162-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/5036-182-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/5036-157-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download