d1d78a3b36dc832ee632f6dcf87b9817d0ea8b9c3e7f1e78e64293776ebff291

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2022 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1d78a3b36dc832ee632f6dcf87b9817d0ea8b9c3e7f1e78e64293776ebff291.exe
Size

772KB
MD5

faf55cf94a9c239023ace2a8c265f93b
SHA1

265ed798fe78a26e2685f9addefc97f4dc5104d4
SHA256

d1d78a3b36dc832ee632f6dcf87b9817d0ea8b9c3e7f1e78e64293776ebff291
SHA512

7c4bfa33b9923f1c9d807c28bf815f2a607cc0321968db21527c42e6d3d13cda4735895bf7b0b14c749ef08892f53c5618da3be6e773d0c11d98795420b50143

Score

10^/10

persistence suricata upx

Malware Config

Signatures

suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4768-132-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4768-137-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4768-138-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4768-140-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4768-141-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4768-142-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d1d78a3b36dc832ee632f6dcf87b9817d0ea8b9c3e7f1e78e64293776ebff291.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d5377494cf2411433d2b64b8658c797a = "regsvr32.exe /s /n /u /i:\"C:\\Users\\Admin\\AppData\\Roaming\\VSO7924IUUZ.txt\" scrobj.dll."	d1d78a3b36dc832ee632f6dcf87b9817d0ea8b9c3e7f1e78e64293776ebff291.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

d1d78a3b36dc832ee632f6dcf87b9817d0ea8b9c3e7f1e78e64293776ebff291.exe

description	pid	process	target process
PID 4788 set thread context of 4768	4788	d1d78a3b36dc832ee632f6dcf87b9817d0ea8b9c3e7f1e78e64293776ebff291.exe	d1d78a3b36dc832ee632f6dcf87b9817d0ea8b9c3e7f1e78e64293776ebff291.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

d1d78a3b36dc832ee632f6dcf87b9817d0ea8b9c3e7f1e78e64293776ebff291.exe

description	pid	process	target process
PID 4788 wrote to memory of 4768	4788	d1d78a3b36dc832ee632f6dcf87b9817d0ea8b9c3e7f1e78e64293776ebff291.exe	d1d78a3b36dc832ee632f6dcf87b9817d0ea8b9c3e7f1e78e64293776ebff291.exe
PID 4788 wrote to memory of 4768	4788	d1d78a3b36dc832ee632f6dcf87b9817d0ea8b9c3e7f1e78e64293776ebff291.exe	d1d78a3b36dc832ee632f6dcf87b9817d0ea8b9c3e7f1e78e64293776ebff291.exe
PID 4788 wrote to memory of 4768	4788	d1d78a3b36dc832ee632f6dcf87b9817d0ea8b9c3e7f1e78e64293776ebff291.exe	d1d78a3b36dc832ee632f6dcf87b9817d0ea8b9c3e7f1e78e64293776ebff291.exe
PID 4788 wrote to memory of 4768	4788	d1d78a3b36dc832ee632f6dcf87b9817d0ea8b9c3e7f1e78e64293776ebff291.exe	d1d78a3b36dc832ee632f6dcf87b9817d0ea8b9c3e7f1e78e64293776ebff291.exe

C:\Users\Admin\AppData\Local\Temp\d1d78a3b36dc832ee632f6dcf87b9817d0ea8b9c3e7f1e78e64293776ebff291.exe
"C:\Users\Admin\AppData\Local\Temp\d1d78a3b36dc832ee632f6dcf87b9817d0ea8b9c3e7f1e78e64293776ebff291.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4788

C:\Users\Admin\AppData\Local\Temp\d1d78a3b36dc832ee632f6dcf87b9817d0ea8b9c3e7f1e78e64293776ebff291.exe
C:\Users\Admin\AppData\Local\Temp\d1d78a3b36dc832ee632f6dcf87b9817d0ea8b9c3e7f1e78e64293776ebff291.exe
2⤵
- Adds Run key to start application
PID:4768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4768-131-0x0000000000000000-mapping.dmp

Download
memory/4768-132-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4768-137-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4768-138-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4768-140-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4768-141-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4768-142-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4788-130-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/4788-139-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download