dfde4df8173b90daa38575d60c96bfc157e045a04e16e46bf073a64fdfd1285e

Analysis

max time kernel
83s
max time network
154s
platform
windows7_x64
resource
win7-20220414-en
submitted
11-06-2022 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73.exe
Size

196KB
MD5

113ac743212e56ac38d22182d7b38385
SHA1

f1098d33d3fe81e370ea1d75096f51d3bebcd855
SHA256

dfde4df8173b90daa38575d60c96bfc157e045a04e16e46bf073a64fdfd1285e
SHA512

ea3f71ea5a135c96a8b768ad4c1f5405892c28ec148981608de2433fdaca3bd80b2c90af5a39c9e67603829fabd1c60b11023511cc56f1d2d0106c747788c320

Score

10^/10

persistence suricata upx

Malware Config

Signatures

suricata: ET MALWARE Backdoor.Win32.Pushdo.s Checkin
suricata: ET MALWARE Backdoor.Win32.Pushdo.s Checkin
suricata
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/980-61-0x0000000004000000-0x0000000004215000-memory.dmp	upx
behavioral1/memory/980-66-0x0000000004000000-0x0000000004215000-memory.dmp	upx
behavioral1/memory/980-67-0x0000000004000000-0x0000000004215000-memory.dmp	upx
behavioral1/memory/2268-122-0x0000000004000000-0x000000000408E000-memory.dmp	upx
behavioral1/memory/2340-136-0x0000000004000000-0x0000000004218000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

73.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\tibqanobatib = "C:\\Users\\Admin\\tibqanobatib.exe"	73.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Regedit32 = "C:\\Windows\\system32\\regedit.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Regedit32 = "C:\\Windows\\system32\\regedit.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Regedit32 = "C:\\Windows\\system32\\regedit.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Regedit32 = "C:\\Windows\\system32\\regedit.exe"	svchost.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

73.exesvchost.exe

description	pid	process	target process
PID 872 set thread context of 980	872	73.exe	svchost.exe
PID 980 set thread context of 468	980	svchost.exe	svchost.exe
PID 980 set thread context of 1944	980	svchost.exe	svchost.exe
PID 980 set thread context of 556	980	svchost.exe	svchost.exe
PID 980 set thread context of 528	980	svchost.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

73.exe

pid process

872 73.exe

pid	process
872	73.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

73.exesvchost.exe

description	pid	process	target process
PID 872 wrote to memory of 980	872	73.exe	svchost.exe
PID 872 wrote to memory of 980	872	73.exe	svchost.exe
PID 872 wrote to memory of 980	872	73.exe	svchost.exe
PID 872 wrote to memory of 980	872	73.exe	svchost.exe
PID 872 wrote to memory of 980	872	73.exe	svchost.exe
PID 872 wrote to memory of 980	872	73.exe	svchost.exe
PID 872 wrote to memory of 1776	872	73.exe	svchost.exe
PID 872 wrote to memory of 1776	872	73.exe	svchost.exe
PID 872 wrote to memory of 1776	872	73.exe	svchost.exe
PID 872 wrote to memory of 1776	872	73.exe	svchost.exe
PID 980 wrote to memory of 468	980	svchost.exe	svchost.exe
PID 980 wrote to memory of 468	980	svchost.exe	svchost.exe
PID 980 wrote to memory of 468	980	svchost.exe	svchost.exe
PID 980 wrote to memory of 468	980	svchost.exe	svchost.exe
PID 980 wrote to memory of 468	980	svchost.exe	svchost.exe
PID 980 wrote to memory of 468	980	svchost.exe	svchost.exe
PID 980 wrote to memory of 468	980	svchost.exe	svchost.exe
PID 980 wrote to memory of 1944	980	svchost.exe	svchost.exe
PID 980 wrote to memory of 1944	980	svchost.exe	svchost.exe
PID 980 wrote to memory of 1944	980	svchost.exe	svchost.exe
PID 980 wrote to memory of 1944	980	svchost.exe	svchost.exe
PID 980 wrote to memory of 1944	980	svchost.exe	svchost.exe
PID 980 wrote to memory of 1944	980	svchost.exe	svchost.exe
PID 980 wrote to memory of 1944	980	svchost.exe	svchost.exe
PID 980 wrote to memory of 556	980	svchost.exe	svchost.exe
PID 980 wrote to memory of 556	980	svchost.exe	svchost.exe
PID 980 wrote to memory of 556	980	svchost.exe	svchost.exe
PID 980 wrote to memory of 556	980	svchost.exe	svchost.exe
PID 980 wrote to memory of 556	980	svchost.exe	svchost.exe
PID 980 wrote to memory of 556	980	svchost.exe	svchost.exe
PID 980 wrote to memory of 556	980	svchost.exe	svchost.exe
PID 980 wrote to memory of 528	980	svchost.exe	svchost.exe
PID 980 wrote to memory of 528	980	svchost.exe	svchost.exe
PID 980 wrote to memory of 528	980	svchost.exe	svchost.exe
PID 980 wrote to memory of 528	980	svchost.exe	svchost.exe
PID 980 wrote to memory of 528	980	svchost.exe	svchost.exe
PID 980 wrote to memory of 528	980	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\73.exe
"C:\Users\Admin\AppData\Local\Temp\73.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Adds Run key to start application
PID:468

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Adds Run key to start application
PID:1944

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Adds Run key to start application
PID:556

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Adds Run key to start application
PID:528

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:1776

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:2268

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:2300

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:2372

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:2460

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:2628

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:2884

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:2340

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:2396

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:2500

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:2816

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:2988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1MJ6HS9P.txt

Filesize
112B

MD5
000ab0405031ddb2016379598784d74d

SHA1
a048fdb3c8ef3ff42a4d9d9da9619b7b56034149

SHA256
a5de01b2c11c0bb164988f9db2d951d4e637e5cba8e63e8c93052ab2195652d3

SHA512
9396bc2579b1e1ad1b76e6f3b1ffddb14a05b63fa27db628a260d86bc04eb6a273fae385f5fa242086d91dc5c07049eb2179becd06a23c7f73f5e442b2ae59c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4OCMVEZX.txt

Filesize
84B

MD5
36b4e2e14a4abc874e8816657cbbc316

SHA1
956180fbefd9ebf890a7f5710eafa35614c9011e

SHA256
4f0a43fca92760a6ebdf998ae01a908417fbb6bcbbc79ebb54c147f5e11cdd1b

SHA512
c529938fe1ccf7b3ce5308d7c9089a964c83732ec576dd76066c0ebb4fd524d68baa10e4e1e59098444e34dfd3b52faf97103f996a6b0bf10beb358454a0c005

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6F1IM5OE.txt

Filesize
219B

MD5
faf29d222cd3504961a8e1f20275a105

SHA1
5d126b0f049af185cde4fb3f322cbf60ad5fa2c8

SHA256
2a398eb1e2ff2c29043be60a350fe92557a6c6bffb0865b82d1f833d35c1c683

SHA512
dc4ba0ab74fb60813ae66626f0355c1aaa3a781ab6a9667407ce118798ebceb9289e12bc053b741fac96092d2e5b019e861467ced96478584c1a7c3c1bfe91bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AI4BKNIZ.txt

Filesize
218B

MD5
078042bcd79229914df4bd1e953354cb

SHA1
871a4767f67b3ac9d02b6913132c5ca723871eb0

SHA256
24d25a335fbaf1631ce902db5d4cbf1b34e577c1d4958fa97537b421c6b2bdbc

SHA512
788c7a6008a078a33078600766991708764d86f72390f6c52932865e2be6bcaaa3c1c81c3c583b8faee6fb20f84730e0c4c16af94b01bb8cea0cd01c4e152036

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AY0L9RDP.txt

Filesize
140B

MD5
8ba99b8e4f23deabeea9ef3564f020f1

SHA1
7d3926ecb5aeaac568b16e3e8e803b9589903116

SHA256
dff03edd911a05ebd50dee970c619e0c12382b01a525739b70aec1f3b29d3c89

SHA512
73172b97e37784e5e67663a83cd301946970ccf57b386011b15e0d9e6dc9ceeb52a2b82f845e043044d760aff2c383ecb490f5ec817c3c7cab41b514aba0d717

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DXISONZF.txt

Filesize
86B

MD5
c1ec7331aeedd8630732753d66241451

SHA1
92d4adf1db3cab738d22ef774ab37caef1b61128

SHA256
512b6f5afd02acba11540eb71035a4064c267ade4896bf3824cb353bf6305cb7

SHA512
13cc60ea5ba9d2a9bd478249c98dd28ac8af29f5e7e08ff78bd12dfa69d9464c2ee9474b990341d8d12e8df722bb3ba98193233ac337ebb5d3583e6732160d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IFO63MC9.txt

Filesize
102B

MD5
fb6b654566d71aacaf314e779b4b43d6

SHA1
87a7d9545f1d1f6fef470bbde937fc57207bcee7

SHA256
4d30d333994dc5b0dbdf813b3286491fa0f3a4ee65dafd018372dd2b3ecfbbe1

SHA512
7634a3a64d98b7b396231465111a43e1a0862e9175056b99cd3cf75b2516f2308a12d4464c37c5ce3d3219fed2d75a3d0066a6b450ef602877722a910ced51b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\N8808TTB.txt

Filesize
113B

MD5
80eb95c72cc9c0ef9be20dacecb55db5

SHA1
1f43db375af5f0bf3234d2caf2a5e13489e2579d

SHA256
8c68f5a44c5792c12cb1cb6230b4e0b288599b3fa99f61c6cec98ed37cd37f10

SHA512
817eaf6cf38ab4c188813d09dfd2c5007f4c4ba4e97fa2c0c5160c746a5e1d1aa167248808ef751f40e47a21ce4fe21817b2d16dced16e0e2051c7ed911055f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SNJQY2BN.txt

Filesize
178B

MD5
a35b66c671bb849fefdc7f1f02a01358

SHA1
821d4b11bcbb51c484c30609fe7b353126d2b01a

SHA256
d84e39bf794d88c1dee34d313dfbbbfe439d925370c7e74570a983ee56446eec

SHA512
9ac9bf7e868fe95f6c6c03eb60c001a06528a04f61b75eab24b82fd8e3f53433be33c4eb179e02d21df64f5847df7a2b36010d547508dc401dc97c099ae7e9ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VSRVUOTD.txt

Filesize
217B

MD5
6b53f5b6a6fd4818d0a78fe74d992dcc

SHA1
b5a3760edf20167e3d032976c5a75c795700e3aa

SHA256
4bb399ad6ecd612e3b236b3408b5189fb7bdf7c19deb9e97efecd0dee8fbd6a4

SHA512
0beaa066e74a5963c3a5b67079cb4994be7d8e0d006a92cac6befacc6600d9d6ae7035ce427bb115e4e74bba9e11a25fde5482e59a60b23b37bf1f69ea763183

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YH6E17CR.txt

Filesize
85B

MD5
b466c816c06ca154186b36032c2f78fa

SHA1
91b640c6537fbe2ca56143e93f1a34da37d6124f

SHA256
66ac17379e1c83809687025a38faa8d6bd25d75dcebc77bd919798843f9cbbc3

SHA512
ba05d34965df780fd8ee061b6cf990bece19b8e50df9a9bcf5ef45805a87a9eaa43bafad2f64abbb4a6780bd9ee483c6fb2cf7d77252c8134b7eadfb221942e1

Download Submit
memory/468-68-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/468-70-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/468-72-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/468-71-0x0000000013143509-mapping.dmp

Download
memory/468-86-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/468-115-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/468-98-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/468-96-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/528-117-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/528-100-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/528-112-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/528-108-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/528-103-0x0000000013143509-mapping.dmp

Download
memory/556-90-0x0000000013143509-mapping.dmp

Download
memory/556-111-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/556-116-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/556-99-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/556-102-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/556-88-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/872-109-0x0000000000230000-0x0000000000330000-memory.dmp

Filesize
1024KB

Download
memory/872-110-0x0000000004000000-0x00000000044FB000-memory.dmp

Filesize
5.0MB

Download
memory/872-55-0x0000000000230000-0x0000000000330000-memory.dmp

Filesize
1024KB

Download
memory/872-56-0x00000000003A0000-0x00000000003B3000-memory.dmp

Filesize
76KB

Download
memory/872-57-0x0000000004000000-0x00000000044FB000-memory.dmp

Filesize
5.0MB

Download
memory/872-58-0x00000000768D1000-0x00000000768D3000-memory.dmp

Filesize
8KB

Download
memory/980-67-0x0000000004000000-0x0000000004215000-memory.dmp

Filesize
2.1MB

Download
memory/980-59-0x0000000004000000-0x0000000004215000-memory.dmp

Filesize
2.1MB

Download
memory/980-61-0x0000000004000000-0x0000000004215000-memory.dmp

Filesize
2.1MB

Download
memory/980-62-0x0000000004212E80-mapping.dmp

Download
memory/980-66-0x0000000004000000-0x0000000004215000-memory.dmp

Filesize
2.1MB

Download
memory/1776-64-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1944-77-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1944-78-0x0000000013143509-mapping.dmp

Download
memory/1944-85-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1944-114-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1944-89-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/1944-101-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/2268-125-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2268-122-0x0000000004000000-0x000000000408E000-memory.dmp

Filesize
568KB

Download
memory/2268-121-0x0000000000401000-mapping.dmp

Download
memory/2268-120-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2268-118-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2300-127-0x0000000004212E80-mapping.dmp

Download
memory/2340-140-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2340-136-0x0000000004000000-0x0000000004218000-memory.dmp

Filesize
2.1MB

Download
memory/2340-134-0x0000000000401000-mapping.dmp

Download
memory/2340-132-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2372-169-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/2372-167-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/2372-143-0x0000000013143509-mapping.dmp

Download
memory/2396-147-0x0000000013143504-mapping.dmp

Download
memory/2396-171-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/2396-142-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/2396-190-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/2460-203-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/2460-200-0x0000000013140000-0x0000000014690000-memory.dmp

Filesize
21.3MB

Download
memory/2460-160-0x0000000013143509-mapping.dmp

Download
memory/2500-207-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/2500-172-0x0000000013143519-mapping.dmp

Download
memory/2628-181-0x0000000013143509-mapping.dmp

Download
memory/2628-208-0x0000000004000000-0x0000000004007000-memory.dmp

Filesize
28KB

Download
memory/2816-189-0x0000000013143529-mapping.dmp

Download
memory/2884-202-0x0000000013143509-mapping.dmp

Download
memory/2988-210-0x0000000013143529-mapping.dmp

Download