4ddefbcb4247e30783fc52902a75286c6542b9c7255fe0abfca02f62d60f8d39

Analysis

max time kernel
91s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 10:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4ddefbcb4247e30783fc52902a75286c6542b9c7255fe0abfca02f62d60f8d39.exe
Size

310KB
MD5

6f218eb15450d99dc4610a0088ac4632
SHA1

63cd05f23f6ab16a99c8930f7e7b4de00cf5f0c2
SHA256

4ddefbcb4247e30783fc52902a75286c6542b9c7255fe0abfca02f62d60f8d39
SHA512

460ccb477b92a3f63d144c184e95c6a5c18a3c29b41c4885f63ec58a4bf452d6139890a06ea957725b462b372796e3a8155a8a70482b0402aa2c37c928f04fe9
SSDEEP

6144:2N6fGkTxbtUfZbTskdc/isGzNasRsgByJpz:e6frbesb/bGzBB6F

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1208-139-0x0000000000400000-0x00000000004D3000-memory.dmp	upx
behavioral2/files/0x0002000000022df0-143.dat	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1208 set thread context of 2760	1208	4ddefbcb4247e30783fc52902a75286c6542b9c7255fe0abfca02f62d60f8d39.exe	77

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1500	reg.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 2760	1208	4ddefbcb4247e30783fc52902a75286c6542b9c7255fe0abfca02f62d60f8d39.exe	77
PID 1208 wrote to memory of 2760	1208	4ddefbcb4247e30783fc52902a75286c6542b9c7255fe0abfca02f62d60f8d39.exe	77
PID 1208 wrote to memory of 2760	1208	4ddefbcb4247e30783fc52902a75286c6542b9c7255fe0abfca02f62d60f8d39.exe	77
PID 1208 wrote to memory of 2760	1208	4ddefbcb4247e30783fc52902a75286c6542b9c7255fe0abfca02f62d60f8d39.exe	77
PID 1208 wrote to memory of 2760	1208	4ddefbcb4247e30783fc52902a75286c6542b9c7255fe0abfca02f62d60f8d39.exe	77
PID 1208 wrote to memory of 2760	1208	4ddefbcb4247e30783fc52902a75286c6542b9c7255fe0abfca02f62d60f8d39.exe	77
PID 1208 wrote to memory of 2760	1208	4ddefbcb4247e30783fc52902a75286c6542b9c7255fe0abfca02f62d60f8d39.exe	77
PID 2760 wrote to memory of 2324	2760	4ddefbcb4247e30783fc52902a75286c6542b9c7255fe0abfca02f62d60f8d39.exe	78
PID 2760 wrote to memory of 2324	2760	4ddefbcb4247e30783fc52902a75286c6542b9c7255fe0abfca02f62d60f8d39.exe	78
PID 2760 wrote to memory of 2324	2760	4ddefbcb4247e30783fc52902a75286c6542b9c7255fe0abfca02f62d60f8d39.exe	78
PID 1208 wrote to memory of 3196	1208	4ddefbcb4247e30783fc52902a75286c6542b9c7255fe0abfca02f62d60f8d39.exe	80
PID 1208 wrote to memory of 3196	1208	4ddefbcb4247e30783fc52902a75286c6542b9c7255fe0abfca02f62d60f8d39.exe	80
PID 1208 wrote to memory of 3196	1208	4ddefbcb4247e30783fc52902a75286c6542b9c7255fe0abfca02f62d60f8d39.exe	80
PID 2324 wrote to memory of 1500	2324	cmd.exe	82
PID 2324 wrote to memory of 1500	2324	cmd.exe	82
PID 2324 wrote to memory of 1500	2324	cmd.exe	82
PID 2324 wrote to memory of 4428	2324	cmd.exe	83
PID 2324 wrote to memory of 4428	2324	cmd.exe	83
PID 2324 wrote to memory of 4428	2324	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\4ddefbcb4247e30783fc52902a75286c6542b9c7255fe0abfca02f62d60f8d39.exe
"C:\Users\Admin\AppData\Local\Temp\4ddefbcb4247e30783fc52902a75286c6542b9c7255fe0abfca02f62d60f8d39.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\4ddefbcb4247e30783fc52902a75286c6542b9c7255fe0abfca02f62d60f8d39.exe
  "C:\Users\Admin\AppData\Local\Temp\4ddefbcb4247e30783fc52902a75286c6542b9c7255fe0abfca02f62d60f8d39.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Start.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations /v ModRiskFileTypes /t REG_SZ /d .exe /f
      4⤵
      Modifies registry key
      PID:1500
  - - C:\Windows\SysWOW64\gpupdate.exe
      gpupdate /force
      4⤵
      PID:4428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jnduf.bat
  2⤵
  PID:3196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Start.bat

Filesize
200B

MD5
9cedeb0b293d2b5491225ef3d9eb2a8b

SHA1
b607ef9bd319b6ec696c8dab8a314998d133298b

SHA256
3fc59706783a0778da9121da52a63e34e47c82f436d5b14943e14fb418fd4f08

SHA512
ec7d4544e32b1ea460895b1037a9eca2529eed45d6ee1644f83dfc4d4ad8f7c32a811ee4627bc6b243fb5d5c9e3e2b22060d6a2903692830ff1f114d2b9f3cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf.bat

Filesize
341B

MD5
89e934a45dbfa229b57880bfe2bfde86

SHA1
ad28de31b49ae08934affbcacf3d07083d11ba73

SHA256
07c35d4239aae75051981d2e8cc74649fb8c9c661a94534833f1e4db42be1ffa

SHA512
1de4824ae802f60b6368b1c85cbc6f40e81ab42ad3452d0dd3ea021d6dc331a08670029b57c4dd4f64ffa7441817888e35e5656d3be858ebf9961a1dd42a48c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf~.tmp

Filesize
310KB

MD5
093efce96aa9a62d02148ca128529f43

SHA1
2a6e87bc2b8f74bb95131661ba02a1061f89e4b8

SHA256
92e3c6e47ca56676f7004ddc495efcb8dec190f27be436ddca9f00575ec616cf

SHA512
d52535843e156109d26134aa1f4c7493afa092c319fb6a745cec67c8af6e540d13f23d100acd2d364faae832b5219a54fc0ab54913cebc4f4996db56ef519314

Download Submit
memory/1208-139-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2760-133-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2760-135-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2760-137-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download