c2464ff7e92e79273f16fc3aca90b9e0d242d62b730a16f8ab57400c8fcf20d3

Analysis

max time kernel
151s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2464ff7e92e79273f16fc3aca90b9e0d242d62b730a16f8ab57400c8fcf20d3.exe
Size

139KB
MD5

44f2f6e118ca403f881edbabc6d90fd6
SHA1

0025905f3e878f3c26d4aed407e5c9efc2300909
SHA256

c2464ff7e92e79273f16fc3aca90b9e0d242d62b730a16f8ab57400c8fcf20d3
SHA512

2bfed0b6854164b560118511760780ddb40951441fd9cfe72e7113f2eabfceee05999e22bb1b4f2dc53e93ea893131ab3fafcf6f9a6423cfce7c9797610fb9f5
SSDEEP

3072:boDK7KkOmqm2KX9F+eGa76BwdZzlf9phWya71zZX:kDK7KkB5XmBmTd77hrk

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2576	msa.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4120-135-0x0000000000400000-0x0000000000447000-memory.dmp	upx
behavioral2/memory/2576-140-0x0000000000400000-0x0000000000447000-memory.dmp	upx
behavioral2/memory/4120-141-0x0000000000400000-0x0000000000447000-memory.dmp	upx
behavioral2/memory/2576-142-0x0000000000400000-0x0000000000447000-memory.dmp	upx
behavioral2/memory/4120-143-0x0000000000400000-0x0000000000447000-memory.dmp	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job	c2464ff7e92e79273f16fc3aca90b9e0d242d62b730a16f8ab57400c8fcf20d3.exe
File opened for modification	C:\Windows\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job	c2464ff7e92e79273f16fc3aca90b9e0d242d62b730a16f8ab57400c8fcf20d3.exe
File created	C:\Windows\msa.exe	c2464ff7e92e79273f16fc3aca90b9e0d242d62b730a16f8ab57400c8fcf20d3.exe
File opened for modification	C:\Windows\msa.exe	c2464ff7e92e79273f16fc3aca90b9e0d242d62b730a16f8ab57400c8fcf20d3.exe
File created	C:\Windows\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job	msa.exe
File opened for modification	C:\Windows\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job	msa.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\International	msa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe
2576	msa.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2576	msa.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4120 wrote to memory of 2576	4120	c2464ff7e92e79273f16fc3aca90b9e0d242d62b730a16f8ab57400c8fcf20d3.exe	79
PID 4120 wrote to memory of 2576	4120	c2464ff7e92e79273f16fc3aca90b9e0d242d62b730a16f8ab57400c8fcf20d3.exe	79
PID 4120 wrote to memory of 2576	4120	c2464ff7e92e79273f16fc3aca90b9e0d242d62b730a16f8ab57400c8fcf20d3.exe	79

C:\Users\Admin\AppData\Local\Temp\c2464ff7e92e79273f16fc3aca90b9e0d242d62b730a16f8ab57400c8fcf20d3.exe
"C:\Users\Admin\AppData\Local\Temp\c2464ff7e92e79273f16fc3aca90b9e0d242d62b730a16f8ab57400c8fcf20d3.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Windows\msa.exe
  C:\Windows\msa.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job

Filesize
426B

MD5
079e848f9dac4dd1cd34496e89c45203

SHA1
e6165c94826e117aedb1ce7c4b967bc763edf4d1

SHA256
e482cf62a90559dd15418bd39d58d2475f8923b08ff49890c90b5e1de7da09b4

SHA512
421efd6c482b676b2ec686f0a2de76331afce1025356d8d4a5495f9f44d664f5bdf398d99e7e9a168f945bd4f309f8fcdbc42dc7fdcb6c5236778f318e737b01

Download Submit
C:\Windows\msa.exe

Filesize
139KB

MD5
44f2f6e118ca403f881edbabc6d90fd6

SHA1
0025905f3e878f3c26d4aed407e5c9efc2300909

SHA256
c2464ff7e92e79273f16fc3aca90b9e0d242d62b730a16f8ab57400c8fcf20d3

SHA512
2bfed0b6854164b560118511760780ddb40951441fd9cfe72e7113f2eabfceee05999e22bb1b4f2dc53e93ea893131ab3fafcf6f9a6423cfce7c9797610fb9f5

Download Submit
C:\Windows\msa.exe

Filesize
139KB

MD5
44f2f6e118ca403f881edbabc6d90fd6

SHA1
0025905f3e878f3c26d4aed407e5c9efc2300909

SHA256
c2464ff7e92e79273f16fc3aca90b9e0d242d62b730a16f8ab57400c8fcf20d3

SHA512
2bfed0b6854164b560118511760780ddb40951441fd9cfe72e7113f2eabfceee05999e22bb1b4f2dc53e93ea893131ab3fafcf6f9a6423cfce7c9797610fb9f5

Download Submit
memory/2576-140-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2576-142-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4120-135-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4120-141-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4120-143-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download