1fb7d599571f4b4ed7906c0eea2a99e9539eef2480052274c5ac9901624b6de1

Analysis

max time kernel
112s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
12-06-2022 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fb7d599571f4b4ed7906c0eea2a99e9539eef2480052274c5ac9901624b6de1.exe
Size

3.7MB
MD5

819ed37eb7743bb244d9f34c53e29ec2
SHA1

d1adbdea5d6ee7796af0901467f6953609002e2c
SHA256

1fb7d599571f4b4ed7906c0eea2a99e9539eef2480052274c5ac9901624b6de1
SHA512

1c1eca6e79961bd6b687c551d1eaf5a136225086377aa86f6dd351df1119a86e8230a3fdcedec56505e39abca47c81d4a1fa1dd14c10e0585c173e4a66cac0e1

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ffefUmabWYhXHvgzma5.exe

pid process

4340 ffefUmabWYhXHvgzma5.exe

pid	process
4340	ffefUmabWYhXHvgzma5.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2432-154-0x0000000000400000-0x0000000000924000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ffefUmabWYhXHvgzma5.exe1fb7d599571f4b4ed7906c0eea2a99e9539eef2480052274c5ac9901624b6de1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gvhjg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\fhfhg.exe"	ffefUmabWYhXHvgzma5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1fb7d599571f4b4ed7906c0eea2a99e9539eef2480052274c5ac9901624b6de1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1fb7d599571f4b4ed7906c0eea2a99e9539eef2480052274c5ac9901624b6de1.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/2432-154-0x0000000000400000-0x0000000000924000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ffefUmabWYhXHvgzma5.exe

description pid process target process

PID 4340 set thread context of 2432 4340 ffefUmabWYhXHvgzma5.exe RegAsm.exe
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

ffefUmabWYhXHvgzma5.exe

pid process

4340 ffefUmabWYhXHvgzma5.exe
4340 ffefUmabWYhXHvgzma5.exe
4340 ffefUmabWYhXHvgzma5.exe
4340 ffefUmabWYhXHvgzma5.exe
4340 ffefUmabWYhXHvgzma5.exe

description	pid	process	target process
PID 4340 set thread context of 2432	4340	ffefUmabWYhXHvgzma5.exe	RegAsm.exe

pid	process
4340	ffefUmabWYhXHvgzma5.exe
4340	ffefUmabWYhXHvgzma5.exe
4340	ffefUmabWYhXHvgzma5.exe
4340	ffefUmabWYhXHvgzma5.exe
4340	ffefUmabWYhXHvgzma5.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

1fb7d599571f4b4ed7906c0eea2a99e9539eef2480052274c5ac9901624b6de1.exeffefUmabWYhXHvgzma5.execsc.execsc.exe

description	pid	process	target process
PID 3976 wrote to memory of 4340	3976	1fb7d599571f4b4ed7906c0eea2a99e9539eef2480052274c5ac9901624b6de1.exe	ffefUmabWYhXHvgzma5.exe
PID 3976 wrote to memory of 4340	3976	1fb7d599571f4b4ed7906c0eea2a99e9539eef2480052274c5ac9901624b6de1.exe	ffefUmabWYhXHvgzma5.exe
PID 3976 wrote to memory of 4340	3976	1fb7d599571f4b4ed7906c0eea2a99e9539eef2480052274c5ac9901624b6de1.exe	ffefUmabWYhXHvgzma5.exe
PID 4340 wrote to memory of 2612	4340	ffefUmabWYhXHvgzma5.exe	csc.exe
PID 4340 wrote to memory of 2612	4340	ffefUmabWYhXHvgzma5.exe	csc.exe
PID 4340 wrote to memory of 2612	4340	ffefUmabWYhXHvgzma5.exe	csc.exe
PID 2612 wrote to memory of 5004	2612	csc.exe	cvtres.exe
PID 2612 wrote to memory of 5004	2612	csc.exe	cvtres.exe
PID 2612 wrote to memory of 5004	2612	csc.exe	cvtres.exe
PID 4340 wrote to memory of 4500	4340	ffefUmabWYhXHvgzma5.exe	csc.exe
PID 4340 wrote to memory of 4500	4340	ffefUmabWYhXHvgzma5.exe	csc.exe
PID 4340 wrote to memory of 4500	4340	ffefUmabWYhXHvgzma5.exe	csc.exe
PID 4500 wrote to memory of 3456	4500	csc.exe	cvtres.exe
PID 4500 wrote to memory of 3456	4500	csc.exe	cvtres.exe
PID 4500 wrote to memory of 3456	4500	csc.exe	cvtres.exe
PID 4340 wrote to memory of 1596	4340	ffefUmabWYhXHvgzma5.exe	RegAsm.exe
PID 4340 wrote to memory of 1596	4340	ffefUmabWYhXHvgzma5.exe	RegAsm.exe
PID 4340 wrote to memory of 1596	4340	ffefUmabWYhXHvgzma5.exe	RegAsm.exe
PID 4340 wrote to memory of 1652	4340	ffefUmabWYhXHvgzma5.exe	RegAsm.exe
PID 4340 wrote to memory of 1652	4340	ffefUmabWYhXHvgzma5.exe	RegAsm.exe
PID 4340 wrote to memory of 1652	4340	ffefUmabWYhXHvgzma5.exe	RegAsm.exe
PID 4340 wrote to memory of 1720	4340	ffefUmabWYhXHvgzma5.exe	RegAsm.exe
PID 4340 wrote to memory of 1720	4340	ffefUmabWYhXHvgzma5.exe	RegAsm.exe
PID 4340 wrote to memory of 1720	4340	ffefUmabWYhXHvgzma5.exe	RegAsm.exe
PID 4340 wrote to memory of 1996	4340	ffefUmabWYhXHvgzma5.exe	RegAsm.exe
PID 4340 wrote to memory of 1996	4340	ffefUmabWYhXHvgzma5.exe	RegAsm.exe
PID 4340 wrote to memory of 1996	4340	ffefUmabWYhXHvgzma5.exe	RegAsm.exe
PID 4340 wrote to memory of 2432	4340	ffefUmabWYhXHvgzma5.exe	RegAsm.exe
PID 4340 wrote to memory of 2432	4340	ffefUmabWYhXHvgzma5.exe	RegAsm.exe
PID 4340 wrote to memory of 2432	4340	ffefUmabWYhXHvgzma5.exe	RegAsm.exe
PID 4340 wrote to memory of 2432	4340	ffefUmabWYhXHvgzma5.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\1fb7d599571f4b4ed7906c0eea2a99e9539eef2480052274c5ac9901624b6de1.exe
"C:\Users\Admin\AppData\Local\Temp\1fb7d599571f4b4ed7906c0eea2a99e9539eef2480052274c5ac9901624b6de1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3976

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ffefUmabWYhXHvgzma5.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ffefUmabWYhXHvgzma5.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rhnyy4bz\rhnyy4bz.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB5C8.tmp" "c:\Users\Admin\AppData\Local\Temp\rhnyy4bz\CSCBFED0ADEEBE74DA5B63A410E5986113.TMP"
4⤵
PID:5004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jbnjlzey\jbnjlzey.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB85.tmp" "c:\Users\Admin\AppData\Local\Temp\jbnjlzey\CSC24A1D7D6F1D94D93A6CC7DB5A76C597F.TMP"
4⤵
PID:3456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ffefUmabWYhXHvgzm
Filesize
10.0MB

MD5
8853f579d514e6a95620d7cdc834c431

SHA1
6366f62f1b87ea97a29f41f1d2f124744d0a6fb6

SHA256
bc7798faf6382bd2867c49bbb0945f5bf33efa972682b246b58ff4702a2e294b

SHA512
c48bfe245bca2d6b1f77cb769bf75a26948a89f7d9fa8fcad5a4e710f326ae8502c6aaf9a217ea1f9a7a75e67fd776420b561625dd301c0c3856bdf29144aa16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ffefUmabWYhXHvgzma5.exe
Filesize
556KB

MD5
20be9778ce13c5174a1ae97db5f8b245

SHA1
468c46b17497350b61dfa2a7e6570985ddc9f9a8

SHA256
1019f19163c7bb5d79cdb83e1f9c08372e848149d42519d5e02a75530b22063c

SHA512
3e95c84a4794c6760714a2b66364988b1ce83d3f604eb8af90636b4aace173ad0fe14b229503f4b7677f05bac52e622939801ec832d437af2e2af6ec3c2610fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ffefUmabWYhXHvgzma5.exe
Filesize
556KB

MD5
20be9778ce13c5174a1ae97db5f8b245

SHA1
468c46b17497350b61dfa2a7e6570985ddc9f9a8

SHA256
1019f19163c7bb5d79cdb83e1f9c08372e848149d42519d5e02a75530b22063c

SHA512
3e95c84a4794c6760714a2b66364988b1ce83d3f604eb8af90636b4aace173ad0fe14b229503f4b7677f05bac52e622939801ec832d437af2e2af6ec3c2610fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB5C8.tmp
Filesize
1KB

MD5
1b7041384bb7a12f15c30fc0f7ee09ed

SHA1
ac873b8fc75eb906e7bee650263c200cc603787a

SHA256
e2e623ae454a40b0cd1742c2da6dcd91f9a4eb67064d8541254fd9d19e30752f

SHA512
5afd1d23a5dc12f55254f4a76f4019f13c4e200eaa2f9a87386ffd5d25dcd6b6e76c0cfb944af0245cdbc09d8a6193b4b992189ae6476219d6bf4924686d1217

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBB85.tmp
Filesize
1KB

MD5
8e853f9a1dbd8a72e9ef8b5e712025f2

SHA1
6015145b4c337022b9eb9f6b7e7a2c06322995b4

SHA256
fc357428508aa7923bc47bd16befc8e3555681d2a26f4b5a8478c2663db8d9e8

SHA512
1ad2eff4ab51407ecd9ab83972ee71590c6a161ea5712d5d5dff774600114790b901f57550806036b5535d954f18cc5123635436c74139ce210ab551893dbda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jbnjlzey\jbnjlzey.dll
Filesize
6.7MB

MD5
ddd150acf113900a2beef6dfeec60654

SHA1
128dfc59e32edaf6ed2e152260eacfe635b376dd

SHA256
60a7c3b3654230d7a89bc7220f206a47547b684112ac946dabd17d8dce42f472

SHA512
3a93c6bd8c4753b28d5d75292b3ef7894df324db3eb76fae8f7a608afb3acab2c9593b0b7d1ddd1bcb8f4283c5ec7af7bfac01424b184ccb465d131243ddfed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhnyy4bz\rhnyy4bz.dll
Filesize
6.7MB

MD5
89eae89550672da734c6bdbbc7120cb2

SHA1
c0f4c89b8e7431f3550a05c77ef066db1d0a7aec

SHA256
119954f68bc8c488a6fef21155f4a76e40a178120df890925be7507580f3c381

SHA512
102f9502b95ed2797eaa8543262cba79fec241048fd849e0ca8e798f81438771436db8abf8eac67f7a37eb165f0526872c174096bf7d3aeb6d5906748d27801a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jbnjlzey\CSC24A1D7D6F1D94D93A6CC7DB5A76C597F.TMP
Filesize
652B

MD5
1b11d081c7cda2d6e7f9b481eb9bea27

SHA1
ebc3bcdc84bf1d036bcebee47a53b2d66e1fc7a5

SHA256
1dd3622fff9a928b88e30a5618d7e65e44adb0327b4ce5b189f21b5850d41317

SHA512
9d41bb89900a84ef3f8cdd75739433e1b055c5849915c60b093fddfd56f750e74407cb4d4f7acb0295ab4e30efe67d2fab6293c0e44320c4b1872c07ddd8ab99

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jbnjlzey\jbnjlzey.0.cs
Filesize
10.0MB

MD5
9643ddab72129e062c6d9d443fcdcb9d

SHA1
49059d908848bf7c5ba030429f9e4d44355ce743

SHA256
a2df503909ed7eed6b200e1dfd57bf051e54fbd18e508f90f2181a38db1f323a

SHA512
164a9e157eaec1a4d495a5870d9e0b68bf04d2f0f17757498566bc98a12aaa00cf9835a54a9eb5fc553a612fab6b9f1ee2f4cf247a0be6dfc9e6caed846db1d5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jbnjlzey\jbnjlzey.cmdline
Filesize
302B

MD5
f3fda841753c12d0232041e9ded4a456

SHA1
48c6688557132743cc2262dc9eaa2918d4b5a4a2

SHA256
1d95dc94a0480db24e5d26994297f9c5161f046856659e27d552cb60a5c75214

SHA512
4fc4e9faefc987362997bc40e35eeae306d8ae48887d59808f14cce55d16d1ec211ca44dc570f735a76d0a9fc9c76d3c61aae501122600485e95101388224874

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rhnyy4bz\CSCBFED0ADEEBE74DA5B63A410E5986113.TMP
Filesize
652B

MD5
7c78a6a7f80d8c5fdbf3f3c0ab6298a2

SHA1
d6158309c5b64fb6034e32c88c22f3315faa06c7

SHA256
ddc6c2440f22f2a71675c9eace60249cc9aa04d6c6ba0ba9603ca2844fc3fe0f

SHA512
3dac6a3dec4f77c7b35bf8854546b1497d4d29174342deffa619fdc69a97edcde40c102cc20cb17081da69a583be5f2a15fe4feea76c3a2e845fa710eb61c16c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rhnyy4bz\rhnyy4bz.0.cs
Filesize
10.0MB

MD5
9643ddab72129e062c6d9d443fcdcb9d

SHA1
49059d908848bf7c5ba030429f9e4d44355ce743

SHA256
a2df503909ed7eed6b200e1dfd57bf051e54fbd18e508f90f2181a38db1f323a

SHA512
164a9e157eaec1a4d495a5870d9e0b68bf04d2f0f17757498566bc98a12aaa00cf9835a54a9eb5fc553a612fab6b9f1ee2f4cf247a0be6dfc9e6caed846db1d5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rhnyy4bz\rhnyy4bz.cmdline
Filesize
302B

MD5
7fb6709d393e9e2a5e2bcd6e7e957543

SHA1
63f3c0527795f7c7934ba0d04ce637a3035fde36

SHA256
78d8d8445bc245192b842efd70d3ad693762165b0e42bc5b8f4434cb98fb479e

SHA512
72b538eb1cbfa2390941f72c4c9fee174289b8dbbccff2ce989736f5d901522a7d71f15731cf81f7c19d926044fa1a52efda737275edbe45ece9185b51bb30c3

Download Submit
memory/2432-152-0x0000000000000000-mapping.dmp

Download
memory/2432-154-0x0000000000400000-0x0000000000924000-memory.dmp

Filesize
5.1MB

Download
memory/2612-138-0x0000000000000000-mapping.dmp

Download
memory/3456-148-0x0000000000000000-mapping.dmp

Download
memory/4340-133-0x0000000000000000-mapping.dmp

Download
memory/4340-153-0x00000000028B0000-0x00000000028B3000-memory.dmp

Filesize
12KB

Download
memory/4340-136-0x0000000000500000-0x0000000000592000-memory.dmp

Filesize
584KB

Download
memory/4500-145-0x0000000000000000-mapping.dmp

Download
memory/5004-141-0x0000000000000000-mapping.dmp

Download