4d3cd8bffb364a4235689421be11aca265e51047eae31e534fa4550a6fc52f7e

Analysis

max time kernel
154s
max time network
166s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d3cd8bffb364a4235689421be11aca265e51047eae31e534fa4550a6fc52f7e.exe
Size

252KB
MD5

5dbf8341796075ecc7af0077a1e21310
SHA1

edc96a0e868b8b1e6bf6d1004538c045863302b0
SHA256

4d3cd8bffb364a4235689421be11aca265e51047eae31e534fa4550a6fc52f7e
SHA512

1cf535c4e5ed51d7be9a97f5402490ad53eea194f5709bd3fed282c47358e301ff4a80bec86dea585e7396dd702f25a49752e0784071583555b273657f2ddbdf
SSDEEP

3072:VahZBNbnOys5HQGFgZq+u7WBr9XHtzkHcnt92Ljy3th8vgEKGw2/OS:ghZBNyycHQGFgZq+u2hhkHwmyd+vym//

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1200	pumir.exe
1172	pumir.exe

Deletes itself 1 IoCs

pid	Process
1800	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
916	4d3cd8bffb364a4235689421be11aca265e51047eae31e534fa4550a6fc52f7e.exe
916	4d3cd8bffb364a4235689421be11aca265e51047eae31e534fa4550a6fc52f7e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\Currentversion\Run	pumir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\{17231F3E-664E-15CB-87F5-8B3D3173C10B} = "C:\\Users\\Admin\\AppData\\Roaming\\Ircas\\pumir.exe"	pumir.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2032 set thread context of 916	2032	4d3cd8bffb364a4235689421be11aca265e51047eae31e534fa4550a6fc52f7e.exe	27
PID 1200 set thread context of 1172	1200	pumir.exe	29

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1172	pumir.exe
1172	pumir.exe
1172	pumir.exe
1172	pumir.exe
1172	pumir.exe
1172	pumir.exe
1172	pumir.exe
1172	pumir.exe
1172	pumir.exe
1172	pumir.exe
1172	pumir.exe
1172	pumir.exe
1172	pumir.exe
1172	pumir.exe
1172	pumir.exe
1172	pumir.exe
1172	pumir.exe
1172	pumir.exe
1172	pumir.exe
1172	pumir.exe
1172	pumir.exe
1172	pumir.exe
1172	pumir.exe
1172	pumir.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	916	4d3cd8bffb364a4235689421be11aca265e51047eae31e534fa4550a6fc52f7e.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2032	4d3cd8bffb364a4235689421be11aca265e51047eae31e534fa4550a6fc52f7e.exe
1200	pumir.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 916	2032	4d3cd8bffb364a4235689421be11aca265e51047eae31e534fa4550a6fc52f7e.exe	27
PID 2032 wrote to memory of 916	2032	4d3cd8bffb364a4235689421be11aca265e51047eae31e534fa4550a6fc52f7e.exe	27
PID 2032 wrote to memory of 916	2032	4d3cd8bffb364a4235689421be11aca265e51047eae31e534fa4550a6fc52f7e.exe	27
PID 2032 wrote to memory of 916	2032	4d3cd8bffb364a4235689421be11aca265e51047eae31e534fa4550a6fc52f7e.exe	27
PID 2032 wrote to memory of 916	2032	4d3cd8bffb364a4235689421be11aca265e51047eae31e534fa4550a6fc52f7e.exe	27
PID 2032 wrote to memory of 916	2032	4d3cd8bffb364a4235689421be11aca265e51047eae31e534fa4550a6fc52f7e.exe	27
PID 2032 wrote to memory of 916	2032	4d3cd8bffb364a4235689421be11aca265e51047eae31e534fa4550a6fc52f7e.exe	27
PID 2032 wrote to memory of 916	2032	4d3cd8bffb364a4235689421be11aca265e51047eae31e534fa4550a6fc52f7e.exe	27
PID 2032 wrote to memory of 916	2032	4d3cd8bffb364a4235689421be11aca265e51047eae31e534fa4550a6fc52f7e.exe	27
PID 916 wrote to memory of 1200	916	4d3cd8bffb364a4235689421be11aca265e51047eae31e534fa4550a6fc52f7e.exe	28
PID 916 wrote to memory of 1200	916	4d3cd8bffb364a4235689421be11aca265e51047eae31e534fa4550a6fc52f7e.exe	28
PID 916 wrote to memory of 1200	916	4d3cd8bffb364a4235689421be11aca265e51047eae31e534fa4550a6fc52f7e.exe	28
PID 916 wrote to memory of 1200	916	4d3cd8bffb364a4235689421be11aca265e51047eae31e534fa4550a6fc52f7e.exe	28
PID 1200 wrote to memory of 1172	1200	pumir.exe	29
PID 1200 wrote to memory of 1172	1200	pumir.exe	29
PID 1200 wrote to memory of 1172	1200	pumir.exe	29
PID 1200 wrote to memory of 1172	1200	pumir.exe	29
PID 1200 wrote to memory of 1172	1200	pumir.exe	29
PID 1200 wrote to memory of 1172	1200	pumir.exe	29
PID 1200 wrote to memory of 1172	1200	pumir.exe	29
PID 1200 wrote to memory of 1172	1200	pumir.exe	29
PID 1200 wrote to memory of 1172	1200	pumir.exe	29
PID 916 wrote to memory of 1800	916	4d3cd8bffb364a4235689421be11aca265e51047eae31e534fa4550a6fc52f7e.exe	30
PID 916 wrote to memory of 1800	916	4d3cd8bffb364a4235689421be11aca265e51047eae31e534fa4550a6fc52f7e.exe	30
PID 916 wrote to memory of 1800	916	4d3cd8bffb364a4235689421be11aca265e51047eae31e534fa4550a6fc52f7e.exe	30
PID 916 wrote to memory of 1800	916	4d3cd8bffb364a4235689421be11aca265e51047eae31e534fa4550a6fc52f7e.exe	30
PID 1172 wrote to memory of 1160	1172	pumir.exe	18
PID 1172 wrote to memory of 1160	1172	pumir.exe	18
PID 1172 wrote to memory of 1160	1172	pumir.exe	18
PID 1172 wrote to memory of 1160	1172	pumir.exe	18
PID 1172 wrote to memory of 1160	1172	pumir.exe	18
PID 1172 wrote to memory of 1232	1172	pumir.exe	17
PID 1172 wrote to memory of 1232	1172	pumir.exe	17
PID 1172 wrote to memory of 1232	1172	pumir.exe	17
PID 1172 wrote to memory of 1232	1172	pumir.exe	17
PID 1172 wrote to memory of 1232	1172	pumir.exe	17
PID 1172 wrote to memory of 1284	1172	pumir.exe	16
PID 1172 wrote to memory of 1284	1172	pumir.exe	16
PID 1172 wrote to memory of 1284	1172	pumir.exe	16
PID 1172 wrote to memory of 1284	1172	pumir.exe	16
PID 1172 wrote to memory of 1284	1172	pumir.exe	16
PID 1172 wrote to memory of 1904	1172	pumir.exe	32
PID 1172 wrote to memory of 1904	1172	pumir.exe	32
PID 1172 wrote to memory of 1904	1172	pumir.exe	32
PID 1172 wrote to memory of 1904	1172	pumir.exe	32
PID 1172 wrote to memory of 1904	1172	pumir.exe	32
PID 1172 wrote to memory of 1788	1172	pumir.exe	33
PID 1172 wrote to memory of 1788	1172	pumir.exe	33
PID 1172 wrote to memory of 1788	1172	pumir.exe	33
PID 1172 wrote to memory of 1788	1172	pumir.exe	33
PID 1172 wrote to memory of 1788	1172	pumir.exe	33
PID 1172 wrote to memory of 1740	1172	pumir.exe	34
PID 1172 wrote to memory of 1740	1172	pumir.exe	34
PID 1172 wrote to memory of 1740	1172	pumir.exe	34
PID 1172 wrote to memory of 1740	1172	pumir.exe	34
PID 1172 wrote to memory of 1740	1172	pumir.exe	34
PID 1172 wrote to memory of 1624	1172	pumir.exe	35
PID 1172 wrote to memory of 1624	1172	pumir.exe	35
PID 1172 wrote to memory of 1624	1172	pumir.exe	35
PID 1172 wrote to memory of 1624	1172	pumir.exe	35
PID 1172 wrote to memory of 1624	1172	pumir.exe	35

C:\Users\Admin\AppData\Local\Temp\4d3cd8bffb364a4235689421be11aca265e51047eae31e534fa4550a6fc52f7e.exe
"C:\Users\Admin\AppData\Local\Temp\4d3cd8bffb364a4235689421be11aca265e51047eae31e534fa4550a6fc52f7e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\4d3cd8bffb364a4235689421be11aca265e51047eae31e534fa4550a6fc52f7e.exe
  "C:\Users\Admin\AppData\Local\Temp\4d3cd8bffb364a4235689421be11aca265e51047eae31e534fa4550a6fc52f7e.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Users\Admin\AppData\Roaming\Ircas\pumir.exe
    "C:\Users\Admin\AppData\Roaming\Ircas\pumir.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Users\Admin\AppData\Roaming\Ircas\pumir.exe
      "C:\Users\Admin\AppData\Roaming\Ircas\pumir.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1172
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6f90ad8f.bat"
    3⤵
    - Deletes itself
    PID:1800

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1232

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1160

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1904

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1788

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1740

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6f90ad8f.bat

Filesize
307B

MD5
f7c87c00f786ddc17c2a831cd15b2c06

SHA1
21f7b57f8d42c9382c27097c9db16f4380b67409

SHA256
c8224774cdc65a23db2ef52ff2b0f5e588afee430228ddd2c9a7469b2939b425

SHA512
e38865fd045d1a04e2057460e474d8c09d882508e58b7cc7f48856e33be61af3cbfcb0be2d35707ed9213f0a27b0eda04a2d00b29e7aa5d5810b19ecf2dd80be

Download Submit
C:\Users\Admin\AppData\Roaming\Ircas\pumir.exe

Filesize
252KB

MD5
2b807b20313f180d39b839bee939da17

SHA1
1733b3205f1c4ca10edf6126c336aa6ffe9f4bba

SHA256
971d6aaa478ddff3127cae574356d5e2b41f2c7271df08d8ab8041449915c6e1

SHA512
056680f644dc437403946a9d160e3f14fb915f110affff03a865ac7295207e309db16bbfcc1a6af3bc178572fa9518e385b68c54705196ba3d92685979d3be03

Download Submit
C:\Users\Admin\AppData\Roaming\Ircas\pumir.exe

Filesize
252KB

MD5
2b807b20313f180d39b839bee939da17

SHA1
1733b3205f1c4ca10edf6126c336aa6ffe9f4bba

SHA256
971d6aaa478ddff3127cae574356d5e2b41f2c7271df08d8ab8041449915c6e1

SHA512
056680f644dc437403946a9d160e3f14fb915f110affff03a865ac7295207e309db16bbfcc1a6af3bc178572fa9518e385b68c54705196ba3d92685979d3be03

Download Submit
C:\Users\Admin\AppData\Roaming\Ircas\pumir.exe

Filesize
252KB

MD5
2b807b20313f180d39b839bee939da17

SHA1
1733b3205f1c4ca10edf6126c336aa6ffe9f4bba

SHA256
971d6aaa478ddff3127cae574356d5e2b41f2c7271df08d8ab8041449915c6e1

SHA512
056680f644dc437403946a9d160e3f14fb915f110affff03a865ac7295207e309db16bbfcc1a6af3bc178572fa9518e385b68c54705196ba3d92685979d3be03

Download Submit
\Users\Admin\AppData\Roaming\Ircas\pumir.exe

Filesize
252KB

MD5
2b807b20313f180d39b839bee939da17

SHA1
1733b3205f1c4ca10edf6126c336aa6ffe9f4bba

SHA256
971d6aaa478ddff3127cae574356d5e2b41f2c7271df08d8ab8041449915c6e1

SHA512
056680f644dc437403946a9d160e3f14fb915f110affff03a865ac7295207e309db16bbfcc1a6af3bc178572fa9518e385b68c54705196ba3d92685979d3be03

Download Submit
\Users\Admin\AppData\Roaming\Ircas\pumir.exe

Filesize
252KB

MD5
2b807b20313f180d39b839bee939da17

SHA1
1733b3205f1c4ca10edf6126c336aa6ffe9f4bba

SHA256
971d6aaa478ddff3127cae574356d5e2b41f2c7271df08d8ab8041449915c6e1

SHA512
056680f644dc437403946a9d160e3f14fb915f110affff03a865ac7295207e309db16bbfcc1a6af3bc178572fa9518e385b68c54705196ba3d92685979d3be03

Download Submit
memory/916-64-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/916-65-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/916-66-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/916-56-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/916-61-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/916-57-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/916-60-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/916-87-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/916-59-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1160-90-0x0000000000450000-0x000000000046A000-memory.dmp

Filesize
104KB

Download
memory/1160-89-0x0000000000450000-0x000000000046A000-memory.dmp

Filesize
104KB

Download
memory/1160-88-0x0000000000450000-0x000000000046A000-memory.dmp

Filesize
104KB

Download
memory/1160-91-0x0000000000450000-0x000000000046A000-memory.dmp

Filesize
104KB

Download
memory/1172-105-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1232-96-0x0000000001D40000-0x0000000001D5A000-memory.dmp

Filesize
104KB

Download
memory/1232-95-0x0000000001D40000-0x0000000001D5A000-memory.dmp

Filesize
104KB

Download
memory/1232-97-0x0000000001D40000-0x0000000001D5A000-memory.dmp

Filesize
104KB

Download
memory/1232-94-0x0000000001D40000-0x0000000001D5A000-memory.dmp

Filesize
104KB

Download
memory/1284-102-0x0000000002950000-0x000000000296A000-memory.dmp

Filesize
104KB

Download
memory/1284-101-0x0000000002950000-0x000000000296A000-memory.dmp

Filesize
104KB

Download
memory/1284-103-0x0000000002950000-0x000000000296A000-memory.dmp

Filesize
104KB

Download
memory/1284-104-0x0000000002950000-0x000000000296A000-memory.dmp

Filesize
104KB

Download
memory/1624-129-0x0000000000210000-0x000000000022A000-memory.dmp

Filesize
104KB

Download
memory/1624-128-0x0000000000210000-0x000000000022A000-memory.dmp

Filesize
104KB

Download
memory/1624-127-0x0000000000210000-0x000000000022A000-memory.dmp

Filesize
104KB

Download
memory/1624-126-0x0000000000210000-0x000000000022A000-memory.dmp

Filesize
104KB

Download
memory/1740-122-0x0000000000490000-0x00000000004AA000-memory.dmp

Filesize
104KB

Download
memory/1740-120-0x0000000000490000-0x00000000004AA000-memory.dmp

Filesize
104KB

Download
memory/1740-121-0x0000000000490000-0x00000000004AA000-memory.dmp

Filesize
104KB

Download
memory/1740-123-0x0000000000490000-0x00000000004AA000-memory.dmp

Filesize
104KB

Download
memory/1788-114-0x0000000003B60000-0x0000000003B7A000-memory.dmp

Filesize
104KB

Download
memory/1788-115-0x0000000003B60000-0x0000000003B7A000-memory.dmp

Filesize
104KB

Download
memory/1788-117-0x0000000003B60000-0x0000000003B7A000-memory.dmp

Filesize
104KB

Download
memory/1788-116-0x0000000003B60000-0x0000000003B7A000-memory.dmp

Filesize
104KB

Download
memory/1904-111-0x00000000000F0000-0x000000000010A000-memory.dmp

Filesize
104KB

Download
memory/1904-110-0x00000000000F0000-0x000000000010A000-memory.dmp

Filesize
104KB

Download
memory/1904-109-0x00000000000F0000-0x000000000010A000-memory.dmp

Filesize
104KB

Download
memory/1904-108-0x00000000000F0000-0x000000000010A000-memory.dmp

Filesize
104KB

Download