7dd2cc280a59846080d37c7582f4729cbedbf55093457b5c349fb51f01ad3137

Analysis

max time kernel
35s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7dd2cc280a59846080d37c7582f4729cbedbf55093457b5c349fb51f01ad3137.exe
Size

189KB
MD5

f26846a6e397c9f54ca15aad1d00a927
SHA1

091bf664b911565f7d3e2f20b31fe8e85a4a3246
SHA256

7dd2cc280a59846080d37c7582f4729cbedbf55093457b5c349fb51f01ad3137
SHA512

3b5c5cf019d7f8eedd0ac28203ec5453d5e2e49fb0070c8f512b4f61a8f9a8e89fc43d17eff76f3f5bbf44430a3874dd0680e216ba44a9a55a0967f1af611665
SSDEEP

3072:KeSoCaT42l07ExH2OyNi91h7FkL7+LK8qh4vQYucbETUaBFXM7ceJv981wyorR:KeSoCGraC9kiLh7FO88cQYueETUIc7Tr

Score

8^/10

persistence upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\svchost.exe	7dd2cc280a59846080d37c7582f4729cbedbf55093457b5c349fb51f01ad3137.exe
File created	C:\Windows\SysWOW64\drivers\svchost.exe	7dd2cc280a59846080d37c7582f4729cbedbf55093457b5c349fb51f01ad3137.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/900-55-0x0000000000400000-0x0000000000484000-memory.dmp	upx
behavioral1/memory/900-56-0x0000000000400000-0x0000000000484000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Windows\\System32\\drivers\\svchost.exe"	7dd2cc280a59846080d37c7582f4729cbedbf55093457b5c349fb51f01ad3137.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
900	7dd2cc280a59846080d37c7582f4729cbedbf55093457b5c349fb51f01ad3137.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
900	7dd2cc280a59846080d37c7582f4729cbedbf55093457b5c349fb51f01ad3137.exe
900	7dd2cc280a59846080d37c7582f4729cbedbf55093457b5c349fb51f01ad3137.exe
900	7dd2cc280a59846080d37c7582f4729cbedbf55093457b5c349fb51f01ad3137.exe
900	7dd2cc280a59846080d37c7582f4729cbedbf55093457b5c349fb51f01ad3137.exe

C:\Users\Admin\AppData\Local\Temp\7dd2cc280a59846080d37c7582f4729cbedbf55093457b5c349fb51f01ad3137.exe
"C:\Users\Admin\AppData\Local\Temp\7dd2cc280a59846080d37c7582f4729cbedbf55093457b5c349fb51f01ad3137.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/900-54-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/900-55-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/900-56-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download