dfde4df8173b90daa38575d60c96bfc157e045a04e16e46bf073a64fdfd1285e

Analysis

max time kernel
99s
max time network
153s
platform
windows7_x64
resource
win7-20220414-en
submitted
11-06-2022 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

196KB
MD5

113ac743212e56ac38d22182d7b38385
SHA1

f1098d33d3fe81e370ea1d75096f51d3bebcd855
SHA256

dfde4df8173b90daa38575d60c96bfc157e045a04e16e46bf073a64fdfd1285e
SHA512

ea3f71ea5a135c96a8b768ad4c1f5405892c28ec148981608de2433fdaca3bd80b2c90af5a39c9e67603829fabd1c60b11023511cc56f1d2d0106c747788c320

Score

10^/10

persistence suricata upx

Malware Config

Signatures

suricata: ET MALWARE Backdoor.Win32.Pushdo.s Checkin
suricata: ET MALWARE Backdoor.Win32.Pushdo.s Checkin
suricata
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/636-62-0x0000000004000000-0x0000000004218000-memory.dmp	upx
behavioral1/memory/628-68-0x0000000004000000-0x000000000408E000-memory.dmp	upx
behavioral1/memory/1192-72-0x0000000004000000-0x0000000004215000-memory.dmp	upx
behavioral1/memory/1192-77-0x0000000004000000-0x0000000004215000-memory.dmp	upx
behavioral1/memory/1192-75-0x0000000004000000-0x0000000004215000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exesvchost.exetmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Regedit32 = "C:\\Windows\\system32\\regedit.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Regedit32 = "C:\\Windows\\system32\\regedit.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\tibqanobatib = "C:\\Users\\Admin\\tibqanobatib.exe"	tmp.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

tmp.exesvchost.exesvchost.exe

description	pid	process	target process
PID 1824 set thread context of 636	1824	tmp.exe	svchost.exe
PID 1824 set thread context of 628	1824	tmp.exe	svchost.exe
PID 1824 set thread context of 1192	1824	tmp.exe	svchost.exe
PID 636 set thread context of 948	636	svchost.exe	svchost.exe
PID 1192 set thread context of 1784	1192	svchost.exe	svchost.exe
PID 636 set thread context of 1120	636	svchost.exe	svchost.exe
PID 636 set thread context of 1644	636	svchost.exe	svchost.exe
PID 1192 set thread context of 1456	1192	svchost.exe	svchost.exe
PID 636 set thread context of 1672	636	svchost.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

tmp.exe

pid process

1824 tmp.exe

pid	process
1824	tmp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.exesvchost.exesvchost.exe

description	pid	process	target process
PID 1824 wrote to memory of 636	1824	tmp.exe	svchost.exe
PID 1824 wrote to memory of 636	1824	tmp.exe	svchost.exe
PID 1824 wrote to memory of 636	1824	tmp.exe	svchost.exe
PID 1824 wrote to memory of 636	1824	tmp.exe	svchost.exe
PID 1824 wrote to memory of 636	1824	tmp.exe	svchost.exe
PID 1824 wrote to memory of 636	1824	tmp.exe	svchost.exe
PID 1824 wrote to memory of 628	1824	tmp.exe	svchost.exe
PID 1824 wrote to memory of 628	1824	tmp.exe	svchost.exe
PID 1824 wrote to memory of 628	1824	tmp.exe	svchost.exe
PID 1824 wrote to memory of 628	1824	tmp.exe	svchost.exe
PID 1824 wrote to memory of 628	1824	tmp.exe	svchost.exe
PID 1824 wrote to memory of 628	1824	tmp.exe	svchost.exe
PID 636 wrote to memory of 948	636	svchost.exe	svchost.exe
PID 636 wrote to memory of 948	636	svchost.exe	svchost.exe
PID 636 wrote to memory of 948	636	svchost.exe	svchost.exe
PID 636 wrote to memory of 948	636	svchost.exe	svchost.exe
PID 1824 wrote to memory of 1192	1824	tmp.exe	svchost.exe
PID 1824 wrote to memory of 1192	1824	tmp.exe	svchost.exe
PID 1824 wrote to memory of 1192	1824	tmp.exe	svchost.exe
PID 1824 wrote to memory of 1192	1824	tmp.exe	svchost.exe
PID 1824 wrote to memory of 1192	1824	tmp.exe	svchost.exe
PID 1824 wrote to memory of 1192	1824	tmp.exe	svchost.exe
PID 636 wrote to memory of 948	636	svchost.exe	svchost.exe
PID 636 wrote to memory of 948	636	svchost.exe	svchost.exe
PID 1192 wrote to memory of 1784	1192	svchost.exe	svchost.exe
PID 1192 wrote to memory of 1784	1192	svchost.exe	svchost.exe
PID 1192 wrote to memory of 1784	1192	svchost.exe	svchost.exe
PID 1192 wrote to memory of 1784	1192	svchost.exe	svchost.exe
PID 1192 wrote to memory of 1784	1192	svchost.exe	svchost.exe
PID 1192 wrote to memory of 1784	1192	svchost.exe	svchost.exe
PID 636 wrote to memory of 948	636	svchost.exe	svchost.exe
PID 636 wrote to memory of 1120	636	svchost.exe	svchost.exe
PID 636 wrote to memory of 1120	636	svchost.exe	svchost.exe
PID 636 wrote to memory of 1120	636	svchost.exe	svchost.exe
PID 636 wrote to memory of 1120	636	svchost.exe	svchost.exe
PID 636 wrote to memory of 1120	636	svchost.exe	svchost.exe
PID 636 wrote to memory of 1120	636	svchost.exe	svchost.exe
PID 1192 wrote to memory of 1784	1192	svchost.exe	svchost.exe
PID 1192 wrote to memory of 1456	1192	svchost.exe	svchost.exe
PID 1192 wrote to memory of 1456	1192	svchost.exe	svchost.exe
PID 1192 wrote to memory of 1456	1192	svchost.exe	svchost.exe
PID 1192 wrote to memory of 1456	1192	svchost.exe	svchost.exe
PID 636 wrote to memory of 1120	636	svchost.exe	svchost.exe
PID 636 wrote to memory of 1644	636	svchost.exe	svchost.exe
PID 636 wrote to memory of 1644	636	svchost.exe	svchost.exe
PID 636 wrote to memory of 1644	636	svchost.exe	svchost.exe
PID 636 wrote to memory of 1644	636	svchost.exe	svchost.exe
PID 1192 wrote to memory of 1456	1192	svchost.exe	svchost.exe
PID 636 wrote to memory of 1644	636	svchost.exe	svchost.exe
PID 636 wrote to memory of 1644	636	svchost.exe	svchost.exe
PID 1192 wrote to memory of 1456	1192	svchost.exe	svchost.exe
PID 636 wrote to memory of 1644	636	svchost.exe	svchost.exe
PID 636 wrote to memory of 1672	636	svchost.exe	svchost.exe
PID 636 wrote to memory of 1672	636	svchost.exe	svchost.exe
PID 636 wrote to memory of 1672	636	svchost.exe	svchost.exe
PID 636 wrote to memory of 1672	636	svchost.exe	svchost.exe
PID 1192 wrote to memory of 1456	1192	svchost.exe	svchost.exe
PID 1192 wrote to memory of 2060	1192	svchost.exe	svchost.exe
PID 1192 wrote to memory of 2060	1192	svchost.exe	svchost.exe
PID 1192 wrote to memory of 2060	1192	svchost.exe	svchost.exe
PID 1192 wrote to memory of 2060	1192	svchost.exe	svchost.exe
PID 636 wrote to memory of 1672	636	svchost.exe	svchost.exe
PID 636 wrote to memory of 1672	636	svchost.exe	svchost.exe
PID 636 wrote to memory of 1672	636	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:948

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1120

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1644

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1672

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:628

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Adds Run key to start application
PID:1784

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Adds Run key to start application
PID:1456

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:2060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\L86LDBSU.txt

Filesize
83B

MD5
f3a1438ddf6ef1e54fb0db2b0839fd3b

SHA1
bed5bb8e772b39ef9b34280a21426623aa83991e

SHA256
9bbe3c56bf980ae8feed01429e1e9cd114e76f66b911458d01e3accdf8d71649

SHA512
a35b793203f96bbebaec4c34ec1086cfa944d83a814f779a2815d7e2691c5027232d61e31a120c8f04d2a9f5fc885995e4e23ec837861397afbd1bee873626b5

Download Submit
memory/628-78-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/628-65-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/628-63-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/628-66-0x0000000000401000-mapping.dmp

Download
memory/628-68-0x0000000004000000-0x000000000408E000-memory.dmp

Filesize
568KB

Download
memory/636-76-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/636-58-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/636-61-0x0000000000401000-mapping.dmp

Download
memory/636-60-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/636-62-0x0000000004000000-0x0000000004218000-memory.dmp

Filesize
2.1MB

Download
memory/948-83-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/948-79-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/948-100-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/948-115-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/948-67-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/948-142-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/948-113-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/948-82-0x0000000013143504-mapping.dmp

Download
memory/1120-128-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1120-107-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1120-93-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1120-144-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1120-96-0x0000000013143519-mapping.dmp

Download
memory/1120-130-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/1192-73-0x0000000004212E80-mapping.dmp

Download
memory/1192-77-0x0000000004000000-0x0000000004215000-memory.dmp

Filesize
2.1MB

Download
memory/1192-69-0x0000000004000000-0x0000000004215000-memory.dmp

Filesize
2.1MB

Download
memory/1192-72-0x0000000004000000-0x0000000004215000-memory.dmp

Filesize
2.1MB

Download
memory/1192-75-0x0000000004000000-0x0000000004215000-memory.dmp

Filesize
2.1MB

Download
memory/1456-129-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1456-138-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1456-109-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1456-139-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/1456-117-0x0000000013143509-mapping.dmp

Download
memory/1456-146-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1644-145-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1644-119-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1644-108-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1644-136-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1644-137-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/1644-110-0x0000000013143529-mapping.dmp

Download
memory/1672-126-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1672-131-0x0000000013143529-mapping.dmp

Download
memory/1784-135-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/1784-101-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1784-88-0x0000000013143509-mapping.dmp

Download
memory/1784-143-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1784-124-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1784-86-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1824-54-0x000000000054F000-0x000000000055A000-memory.dmp

Filesize
44KB

Download
memory/1824-140-0x000000000054F000-0x000000000055A000-memory.dmp

Filesize
44KB

Download
memory/1824-141-0x0000000004000000-0x00000000044FB000-memory.dmp

Filesize
5.0MB

Download
memory/1824-57-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download
memory/1824-56-0x0000000004000000-0x00000000044FB000-memory.dmp

Filesize
5.0MB

Download
memory/1824-55-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download