dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/10/2022, 16:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe
Size

604KB
MD5

9119b113cdf82a5f7991f82b62bc1a80
SHA1

7c461a87cc1bcd892185dbcdf46d2f06410a93b8
SHA256

dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352
SHA512

e5eef7f9805d9151e1d81a20a29e08017dc71f1dd72cbbdf19d605db600d31f0df69add55b3230b1dcbb7d70ca7897855d98fa132f67e6d1d3009c00a4e3e7f0
SSDEEP

6144:AfGGBGgkDWNTTHKpedc2+WzddS1XAMi/vS7Uug:YBG8VHKcdc27zddS1XAMiq

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4444-140-0x0000000000400000-0x0000000000499000-memory.dmp	upx
behavioral2/files/0x0008000000022dfe-142.dat	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4444 set thread context of 320	4444	dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe	82

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
5092	reg.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 320	4444	dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe	82
PID 4444 wrote to memory of 320	4444	dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe	82
PID 4444 wrote to memory of 320	4444	dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe	82
PID 4444 wrote to memory of 320	4444	dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe	82
PID 4444 wrote to memory of 320	4444	dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe	82
PID 4444 wrote to memory of 320	4444	dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe	82
PID 4444 wrote to memory of 320	4444	dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe	82
PID 320 wrote to memory of 1432	320	dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe	83
PID 320 wrote to memory of 1432	320	dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe	83
PID 320 wrote to memory of 1432	320	dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe	83
PID 4444 wrote to memory of 2320	4444	dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe	85
PID 4444 wrote to memory of 2320	4444	dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe	85
PID 4444 wrote to memory of 2320	4444	dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe	85
PID 1432 wrote to memory of 5092	1432	cmd.exe	87
PID 1432 wrote to memory of 5092	1432	cmd.exe	87
PID 1432 wrote to memory of 5092	1432	cmd.exe	87
PID 1432 wrote to memory of 1124	1432	cmd.exe	88
PID 1432 wrote to memory of 1124	1432	cmd.exe	88
PID 1432 wrote to memory of 1124	1432	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe
"C:\Users\Admin\AppData\Local\Temp\dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Users\Admin\AppData\Local\Temp\dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe
  "C:\Users\Admin\AppData\Local\Temp\dabf227d7831a714adf8b16b7be9f6a78cdb34fa23b214291b9e849e84370352.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Start.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations /v ModRiskFileTypes /t REG_SZ /d .exe /f
      4⤵
      Modifies registry key
      PID:5092
  - - C:\Windows\SysWOW64\gpupdate.exe
      gpupdate /force
      4⤵
      PID:1124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jnduf.bat
  2⤵
  PID:2320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Start.bat

Filesize
200B

MD5
9cedeb0b293d2b5491225ef3d9eb2a8b

SHA1
b607ef9bd319b6ec696c8dab8a314998d133298b

SHA256
3fc59706783a0778da9121da52a63e34e47c82f436d5b14943e14fb418fd4f08

SHA512
ec7d4544e32b1ea460895b1037a9eca2529eed45d6ee1644f83dfc4d4ad8f7c32a811ee4627bc6b243fb5d5c9e3e2b22060d6a2903692830ff1f114d2b9f3cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf.bat

Filesize
341B

MD5
db1484b26f6ce4997e0b19893d0203d5

SHA1
68971d5d519c53bc780ceead3b27915a604325c5

SHA256
359d6cf9d5f156e70622c57afcf2a8725bc1433a50998018ed07ce431fafb884

SHA512
d208b71e3a6af685ac8e2c62c7f26e3cc99a4a5680a4b618f3f72af2bf31d05caa15fe45713b603d29d2866862dd6ad195cf1c034849d57e93cea1642f554fc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf~.tmp

Filesize
604KB

MD5
e9c0198d2241fec9e43cb901bea9083c

SHA1
95c19cbce15d27d9c625906386bda537242c1f83

SHA256
1cbbc2df059e9ff1dbbf429bf360b85b216dc139b92b052ff3aeb0fdf1d1e378

SHA512
9a046e2778b3285fdcf28a3d414540a133a5efc815a25dda4c68b90bcef5de8b8b92f4cc8e1cea389919d8d2e660bcc958453065f41a09a6133448d082b8025e

Download Submit
memory/320-133-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/320-135-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/320-137-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4444-140-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download