e8310fbd5227eeed04a4f144b2148a72994a706188473cd1c1ffa388b9e1475d

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8310fbd5227eeed04a4f144b2148a72994a706188473cd1c1ffa388b9e1475d.exe
Size

308KB
MD5

6ff9cace5b4728a1f133ee429a26e3d0
SHA1

b2120e6d1e1c646f0300c11fe91a88ac8bac1187
SHA256

e8310fbd5227eeed04a4f144b2148a72994a706188473cd1c1ffa388b9e1475d
SHA512

cd28d2f4cd60307f5bab031a464d8a12eb0dc6f895515e0e54c03bfcb8c8a51e30673c523727921f875c5f6e333ec7159921c211308b82be6fdbf91cd0dfb648
SSDEEP

6144:I2Cu91FMUJi/wD7s63aPMrl5jS9NwZRElbz6MK5VuakszsrbQ0qAbCv:7Cu9gUxo6eMrl5owZaliQs2b

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1128	resaj.exe

Deletes itself 1 IoCs

pid	Process
924	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1448	e8310fbd5227eeed04a4f144b2148a72994a706188473cd1c1ffa388b9e1475d.exe
1448	e8310fbd5227eeed04a4f144b2148a72994a706188473cd1c1ffa388b9e1475d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	resaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\{CB118568-7F59-AD4D-CD9C-5E5DE9C17D40} = "C:\\Users\\Admin\\AppData\\Roaming\\Ykxada\\resaj.exe"	resaj.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1448 set thread context of 924	1448	e8310fbd5227eeed04a4f144b2148a72994a706188473cd1c1ffa388b9e1475d.exe	28

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1128	resaj.exe
1128	resaj.exe
1128	resaj.exe
1128	resaj.exe
1128	resaj.exe
1128	resaj.exe
1128	resaj.exe
1128	resaj.exe
1128	resaj.exe
1128	resaj.exe
1128	resaj.exe
1128	resaj.exe
1128	resaj.exe
1128	resaj.exe
1128	resaj.exe
1128	resaj.exe
1128	resaj.exe
1128	resaj.exe
1128	resaj.exe
1128	resaj.exe
1128	resaj.exe
1128	resaj.exe
1128	resaj.exe
1128	resaj.exe
1128	resaj.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 1128	1448	e8310fbd5227eeed04a4f144b2148a72994a706188473cd1c1ffa388b9e1475d.exe	27
PID 1448 wrote to memory of 1128	1448	e8310fbd5227eeed04a4f144b2148a72994a706188473cd1c1ffa388b9e1475d.exe	27
PID 1448 wrote to memory of 1128	1448	e8310fbd5227eeed04a4f144b2148a72994a706188473cd1c1ffa388b9e1475d.exe	27
PID 1448 wrote to memory of 1128	1448	e8310fbd5227eeed04a4f144b2148a72994a706188473cd1c1ffa388b9e1475d.exe	27
PID 1128 wrote to memory of 1248	1128	resaj.exe	16
PID 1128 wrote to memory of 1248	1128	resaj.exe	16
PID 1128 wrote to memory of 1248	1128	resaj.exe	16
PID 1128 wrote to memory of 1248	1128	resaj.exe	16
PID 1128 wrote to memory of 1248	1128	resaj.exe	16
PID 1128 wrote to memory of 1360	1128	resaj.exe	9
PID 1128 wrote to memory of 1360	1128	resaj.exe	9
PID 1128 wrote to memory of 1360	1128	resaj.exe	9
PID 1128 wrote to memory of 1360	1128	resaj.exe	9
PID 1128 wrote to memory of 1360	1128	resaj.exe	9
PID 1128 wrote to memory of 1392	1128	resaj.exe	15
PID 1128 wrote to memory of 1392	1128	resaj.exe	15
PID 1128 wrote to memory of 1392	1128	resaj.exe	15
PID 1128 wrote to memory of 1392	1128	resaj.exe	15
PID 1128 wrote to memory of 1392	1128	resaj.exe	15
PID 1128 wrote to memory of 1448	1128	resaj.exe	26
PID 1128 wrote to memory of 1448	1128	resaj.exe	26
PID 1128 wrote to memory of 1448	1128	resaj.exe	26
PID 1128 wrote to memory of 1448	1128	resaj.exe	26
PID 1128 wrote to memory of 1448	1128	resaj.exe	26
PID 1448 wrote to memory of 924	1448	e8310fbd5227eeed04a4f144b2148a72994a706188473cd1c1ffa388b9e1475d.exe	28
PID 1448 wrote to memory of 924	1448	e8310fbd5227eeed04a4f144b2148a72994a706188473cd1c1ffa388b9e1475d.exe	28
PID 1448 wrote to memory of 924	1448	e8310fbd5227eeed04a4f144b2148a72994a706188473cd1c1ffa388b9e1475d.exe	28
PID 1448 wrote to memory of 924	1448	e8310fbd5227eeed04a4f144b2148a72994a706188473cd1c1ffa388b9e1475d.exe	28
PID 1448 wrote to memory of 924	1448	e8310fbd5227eeed04a4f144b2148a72994a706188473cd1c1ffa388b9e1475d.exe	28
PID 1448 wrote to memory of 924	1448	e8310fbd5227eeed04a4f144b2148a72994a706188473cd1c1ffa388b9e1475d.exe	28
PID 1448 wrote to memory of 924	1448	e8310fbd5227eeed04a4f144b2148a72994a706188473cd1c1ffa388b9e1475d.exe	28
PID 1448 wrote to memory of 924	1448	e8310fbd5227eeed04a4f144b2148a72994a706188473cd1c1ffa388b9e1475d.exe	28
PID 1448 wrote to memory of 924	1448	e8310fbd5227eeed04a4f144b2148a72994a706188473cd1c1ffa388b9e1475d.exe	28

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1360

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1392
- C:\Users\Admin\AppData\Local\Temp\e8310fbd5227eeed04a4f144b2148a72994a706188473cd1c1ffa388b9e1475d.exe
  "C:\Users\Admin\AppData\Local\Temp\e8310fbd5227eeed04a4f144b2148a72994a706188473cd1c1ffa388b9e1475d.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Users\Admin\AppData\Roaming\Ykxada\resaj.exe
    "C:\Users\Admin\AppData\Roaming\Ykxada\resaj.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1128
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp98b9c966.bat"
    3⤵
    - Deletes itself
    PID:924

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp98b9c966.bat

Filesize
307B

MD5
851a5654faf638ddeb17a91ff1ab3afa

SHA1
1c37d389b0e15253968b688d557b06f540d1681a

SHA256
8730992331e5d2b28e04087c6409f5778f68bb230ea4c2b1107bcf5e7e15e355

SHA512
84b7843c5b6a065700f50b53795664bf8c41f08cf3bbf280837850714d8d7d0c4448adae3c02c8cfb8e1a99dfb0d340d69e9ffbf680cb00b15af5eff18e96330

Download Submit
C:\Users\Admin\AppData\Roaming\Ykxada\resaj.exe

Filesize
308KB

MD5
a85392253e95dfaa701c81e4eba25d51

SHA1
36ca1024ed97f10fe88383d7d8e94ea4d1aa02fb

SHA256
04e5dd4b669259ea9c35a93183de4cdfe5c4c1a666448c5961dd70a77d9aab1a

SHA512
da550801001ece3ac6f726048ac60ce9188b4112c6c2b8b1cccc104c076f8b6777a8f405a8ecfcc8e1cd4f3d8fa73be4aca3715b2235eae9bbc634d66be81d45

Download Submit
C:\Users\Admin\AppData\Roaming\Ykxada\resaj.exe

Filesize
308KB

MD5
a85392253e95dfaa701c81e4eba25d51

SHA1
36ca1024ed97f10fe88383d7d8e94ea4d1aa02fb

SHA256
04e5dd4b669259ea9c35a93183de4cdfe5c4c1a666448c5961dd70a77d9aab1a

SHA512
da550801001ece3ac6f726048ac60ce9188b4112c6c2b8b1cccc104c076f8b6777a8f405a8ecfcc8e1cd4f3d8fa73be4aca3715b2235eae9bbc634d66be81d45

Download Submit
\Users\Admin\AppData\Roaming\Ykxada\resaj.exe

Filesize
308KB

MD5
a85392253e95dfaa701c81e4eba25d51

SHA1
36ca1024ed97f10fe88383d7d8e94ea4d1aa02fb

SHA256
04e5dd4b669259ea9c35a93183de4cdfe5c4c1a666448c5961dd70a77d9aab1a

SHA512
da550801001ece3ac6f726048ac60ce9188b4112c6c2b8b1cccc104c076f8b6777a8f405a8ecfcc8e1cd4f3d8fa73be4aca3715b2235eae9bbc634d66be81d45

Download Submit
\Users\Admin\AppData\Roaming\Ykxada\resaj.exe

Filesize
308KB

MD5
a85392253e95dfaa701c81e4eba25d51

SHA1
36ca1024ed97f10fe88383d7d8e94ea4d1aa02fb

SHA256
04e5dd4b669259ea9c35a93183de4cdfe5c4c1a666448c5961dd70a77d9aab1a

SHA512
da550801001ece3ac6f726048ac60ce9188b4112c6c2b8b1cccc104c076f8b6777a8f405a8ecfcc8e1cd4f3d8fa73be4aca3715b2235eae9bbc634d66be81d45

Download Submit
memory/924-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/924-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/924-113-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/924-99-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/924-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/924-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/924-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/924-100-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/924-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/924-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/924-97-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/924-101-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1128-63-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1248-68-0x00000000002B0000-0x00000000002F8000-memory.dmp

Filesize
288KB

Download
memory/1248-65-0x00000000002B0000-0x00000000002F8000-memory.dmp

Filesize
288KB

Download
memory/1248-67-0x00000000002B0000-0x00000000002F8000-memory.dmp

Filesize
288KB

Download
memory/1248-69-0x00000000002B0000-0x00000000002F8000-memory.dmp

Filesize
288KB

Download
memory/1248-70-0x00000000002B0000-0x00000000002F8000-memory.dmp

Filesize
288KB

Download
memory/1360-76-0x00000000002B0000-0x00000000002F8000-memory.dmp

Filesize
288KB

Download
memory/1392-82-0x0000000002A40000-0x0000000002A88000-memory.dmp

Filesize
288KB

Download
memory/1392-81-0x0000000002A40000-0x0000000002A88000-memory.dmp

Filesize
288KB

Download
memory/1392-79-0x0000000002A40000-0x0000000002A88000-memory.dmp

Filesize
288KB

Download
memory/1392-80-0x0000000002A40000-0x0000000002A88000-memory.dmp

Filesize
288KB

Download
memory/1448-87-0x0000000001D50000-0x0000000001D98000-memory.dmp

Filesize
288KB

Download
memory/1448-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1448-85-0x0000000001D50000-0x0000000001D98000-memory.dmp

Filesize
288KB

Download
memory/1448-86-0x0000000001D50000-0x0000000001D98000-memory.dmp

Filesize
288KB

Download
memory/1448-103-0x0000000001D50000-0x0000000001D98000-memory.dmp

Filesize
288KB

Download
memory/1448-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1448-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1448-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1448-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1448-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download
memory/1448-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1448-88-0x0000000001D50000-0x0000000001D98000-memory.dmp

Filesize
288KB

Download
memory/1448-56-0x0000000000401000-0x0000000000441000-memory.dmp

Filesize
256KB

Download
memory/1448-55-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download