f406f64989c349ab9b4774bb072ff7a016cb87fe31d98f772b3c96b98d0d832d

Analysis

max time kernel
149s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f406f64989c349ab9b4774bb072ff7a016cb87fe31d98f772b3c96b98d0d832d.exe
Size

8KB
MD5

007e13c6e6483f8fae05c2d8547b4fe1
SHA1

82a12a6a16964b2f5179d14e0ed3615e88ffd415
SHA256

f406f64989c349ab9b4774bb072ff7a016cb87fe31d98f772b3c96b98d0d832d
SHA512

54271ddd7945183cdc7c522a72b7a356953c68a8149d706a05bc4f055b2a5fba8c4082981810f8da1031ed59bade12db244a838139490715614f46b370dd9e3e
SSDEEP

96:lRb4z1EucLdXzbOLOw4Uv1dzCxAk9C6Ihyup6YEofgY2IfkxGzPp:zi1EucLdOLHtvs9fOyupTESlMUV

Score

8^/10

persistence upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1464-55-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1464-56-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
1464	f406f64989c349ab9b4774bb072ff7a016cb87fe31d98f772b3c96b98d0d832d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cs_4 = "cs_4.exe"	f406f64989c349ab9b4774bb072ff7a016cb87fe31d98f772b3c96b98d0d832d.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cs_4.dll	f406f64989c349ab9b4774bb072ff7a016cb87fe31d98f772b3c96b98d0d832d.exe
File created	C:\Windows\SysWOW64\cs_4.exe	f406f64989c349ab9b4774bb072ff7a016cb87fe31d98f772b3c96b98d0d832d.exe
File opened for modification	C:\Windows\SysWOW64\cs_4.exe	f406f64989c349ab9b4774bb072ff7a016cb87fe31d98f772b3c96b98d0d832d.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1464	f406f64989c349ab9b4774bb072ff7a016cb87fe31d98f772b3c96b98d0d832d.exe

C:\Users\Admin\AppData\Local\Temp\f406f64989c349ab9b4774bb072ff7a016cb87fe31d98f772b3c96b98d0d832d.exe
"C:\Users\Admin\AppData\Local\Temp\f406f64989c349ab9b4774bb072ff7a016cb87fe31d98f772b3c96b98d0d832d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\cs_4.dll

Filesize
28KB

MD5
dcf988aade48a929449e1d9531f3e66d

SHA1
990068300d5f6f0209fbbc9acb38d014ec7f07a1

SHA256
4e0be1596039cc8bb0903d4290c8ce86b1b817f6290847b172c1ce7e172acb4f

SHA512
275e9829c5e95927ea9589400f95b7b706cf5d70d9b168e43a4b47bc5c2b97c23dfb5e496632d70a39e1f67dffff8357067adf5f3a761b0f132cef5d03787bc6

Download Submit
memory/1464-55-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1464-56-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download