dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352

Analysis

max time kernel
41s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 16:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe
Size

604KB
MD5

9119b113cdf82a5f7991f82b62bc1a80
SHA1

7c461a87cc1bcd892185dbcdf46d2f06410a93b8
SHA256

dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352
SHA512

e5eef7f9805d9151e1d81a20a29e08017dc71f1dd72cbbdf19d605db600d31f0df69add55b3230b1dcbb7d70ca7897855d98fa132f67e6d1d3009c00a4e3e7f0
SSDEEP

6144:AfGGBGgkDWNTTHKpedc2+WzddS1XAMi/vS7Uug:YBG8VHKcdc27zddS1XAMiq

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/108-70-0x0000000000400000-0x0000000000499000-memory.dmp	upx
behavioral1/files/0x00090000000139f7-73.dat	upx

Deletes itself 1 IoCs

pid	Process
628	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 108 set thread context of 1940	108	dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe	27

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1088	reg.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 108 wrote to memory of 1940	108	dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe	27
PID 108 wrote to memory of 1940	108	dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe	27
PID 108 wrote to memory of 1940	108	dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe	27
PID 108 wrote to memory of 1940	108	dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe	27
PID 108 wrote to memory of 1940	108	dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe	27
PID 108 wrote to memory of 1940	108	dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe	27
PID 108 wrote to memory of 1940	108	dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe	27
PID 108 wrote to memory of 1940	108	dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe	27
PID 1940 wrote to memory of 1476	1940	dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe	28
PID 1940 wrote to memory of 1476	1940	dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe	28
PID 1940 wrote to memory of 1476	1940	dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe	28
PID 1940 wrote to memory of 1476	1940	dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe	28
PID 108 wrote to memory of 628	108	dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe	31
PID 108 wrote to memory of 628	108	dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe	31
PID 108 wrote to memory of 628	108	dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe	31
PID 108 wrote to memory of 628	108	dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe	31
PID 1476 wrote to memory of 1088	1476	cmd.exe	32
PID 1476 wrote to memory of 1088	1476	cmd.exe	32
PID 1476 wrote to memory of 1088	1476	cmd.exe	32
PID 1476 wrote to memory of 1088	1476	cmd.exe	32
PID 1476 wrote to memory of 1012	1476	cmd.exe	33
PID 1476 wrote to memory of 1012	1476	cmd.exe	33
PID 1476 wrote to memory of 1012	1476	cmd.exe	33
PID 1476 wrote to memory of 1012	1476	cmd.exe	33
PID 1476 wrote to memory of 1012	1476	cmd.exe	33
PID 1476 wrote to memory of 1012	1476	cmd.exe	33
PID 1476 wrote to memory of 1012	1476	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe
"C:\Users\Admin\AppData\Local\Temp\dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:108
- C:\Users\Admin\AppData\Local\Temp\dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe
  "C:\Users\Admin\AppData\Local\Temp\dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Start.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1476
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations /v ModRiskFileTypes /t REG_SZ /d .exe /f
      4⤵
      Modifies registry key
      PID:1088
  - - C:\Windows\SysWOW64\gpupdate.exe
      gpupdate /force
      4⤵
      PID:1012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\jnduf.bat
  2⤵
  - Deletes itself
  PID:628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Start.bat

Filesize
200B

MD5
9cedeb0b293d2b5491225ef3d9eb2a8b

SHA1
b607ef9bd319b6ec696c8dab8a314998d133298b

SHA256
3fc59706783a0778da9121da52a63e34e47c82f436d5b14943e14fb418fd4f08

SHA512
ec7d4544e32b1ea460895b1037a9eca2529eed45d6ee1644f83dfc4d4ad8f7c32a811ee4627bc6b243fb5d5c9e3e2b22060d6a2903692830ff1f114d2b9f3cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf.bat

Filesize
341B

MD5
db1484b26f6ce4997e0b19893d0203d5

SHA1
68971d5d519c53bc780ceead3b27915a604325c5

SHA256
359d6cf9d5f156e70622c57afcf2a8725bc1433a50998018ed07ce431fafb884

SHA512
d208b71e3a6af685ac8e2c62c7f26e3cc99a4a5680a4b618f3f72af2bf31d05caa15fe45713b603d29d2866862dd6ad195cf1c034849d57e93cea1642f554fc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf~.tmp

Filesize
604KB

MD5
f0503e8ac36f89cbb48208be1f448d92

SHA1
f32f10f9e6b182fb68cb3269de3d9316b11081f8

SHA256
a223a8fcf49c18a433a40ceb150a552a8c6adfcf2056c8124fac44b8daade854

SHA512
87402aa5c5eeb6b0550e81de2a3531d65166e403dec222efd9a737de1eee7e8193ab8b1da17024b16e94f0d6569eefc4707e04c9b2bc37cf180cb23af7de95be

Download Submit
memory/108-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/108-70-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/1940-60-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1940-68-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1940-66-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1940-62-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1940-58-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1940-56-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1940-55-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download