30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395

Analysis

max time kernel
156s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2022 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
Size

411KB
MD5

7053d7d2c6eb7a495602d3c0cf6ed09a
SHA1

e3763025cfe785389ff15eb7e0dce5c4f7dde855
SHA256

30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395
SHA512

2dbae3bb9fe13f9f6970cf68b2587fd2d5dff1dc6d5bc375870bfb22ee820b8b0cedb2d55857c612a3678fc3b7b5b34500a48c26ea549a3ff84723ba2fa035c9
SSDEEP

12288:8q4ygd5TAAJJsIlA6j0R/C4WiZ3WLyzQ:8qAd5TAAt9j0tCuiy

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2084	oN18401PcAnL18401.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4848-133-0x0000000000400000-0x00000000004D8000-memory.dmp	upx
behavioral2/memory/2084-137-0x0000000000400000-0x00000000004D8000-memory.dmp	upx
behavioral2/memory/4848-138-0x0000000000400000-0x00000000004D8000-memory.dmp	upx
behavioral2/memory/2084-139-0x0000000000400000-0x00000000004D8000-memory.dmp	upx
behavioral2/memory/4848-140-0x0000000000400000-0x00000000004D8000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oN18401PcAnL18401 = "C:\\oN18401PcAnL18401\\oN18401PcAnL18401.exe"	oN18401PcAnL18401.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
224	4848	WerFault.exe	81
4692	2084	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
2084	oN18401PcAnL18401.exe
2084	oN18401PcAnL18401.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
2084	oN18401PcAnL18401.exe
2084	oN18401PcAnL18401.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
2084	oN18401PcAnL18401.exe
2084	oN18401PcAnL18401.exe
2084	oN18401PcAnL18401.exe
2084	oN18401PcAnL18401.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
Token: SeDebugPrivilege	2084	oN18401PcAnL18401.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2084	oN18401PcAnL18401.exe
2084	oN18401PcAnL18401.exe
2084	oN18401PcAnL18401.exe
2084	oN18401PcAnL18401.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2084	oN18401PcAnL18401.exe
2084	oN18401PcAnL18401.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 2084	4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe	87
PID 4848 wrote to memory of 2084	4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe	87
PID 4848 wrote to memory of 2084	4848	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe	87

C:\Users\Admin\AppData\Local\Temp\30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
"C:\Users\Admin\AppData\Local\Temp\30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 884
  2⤵
  - Program crash
  PID:224
- C:\oN18401PcAnL18401\oN18401PcAnL18401.exe
  "\oN18401PcAnL18401\oN18401PcAnL18401.exe" "C:\Users\Admin\AppData\Local\Temp\30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 888
    3⤵
    - Program crash
    PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4848 -ip 4848
1⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2084 -ip 2084
1⤵
PID:1652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\oN18401PcAnL18401\oN18401PcAnL18401.exe

Filesize
411KB

MD5
7889aad1f9f1c189f19010e37cd63bb7

SHA1
add86a745dc5b3714a6e3bb4a0627b5e0348f6d1

SHA256
96827e7947278e8cb99b3d676da522da317e6f171108dc3be80e78ea1e9d9d87

SHA512
331587a63a333503e5661dc27b008ea8ca5c6c5ca473e0b606cc14c8a1c5f6d8d8adf6d474abdf58e9bd8b62ce20a42b87ab5be114bb715123dddd9dec6778fa

Download Submit
C:\oN18401PcAnL18401\oN18401PcAnL18401.exe

Filesize
411KB

MD5
7889aad1f9f1c189f19010e37cd63bb7

SHA1
add86a745dc5b3714a6e3bb4a0627b5e0348f6d1

SHA256
96827e7947278e8cb99b3d676da522da317e6f171108dc3be80e78ea1e9d9d87

SHA512
331587a63a333503e5661dc27b008ea8ca5c6c5ca473e0b606cc14c8a1c5f6d8d8adf6d474abdf58e9bd8b62ce20a42b87ab5be114bb715123dddd9dec6778fa

Download Submit
memory/2084-134-0x0000000000000000-mapping.dmp

Download
memory/2084-137-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2084-139-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4848-132-0x00000000006C0000-0x00000000006C3000-memory.dmp

Filesize
12KB

Download
memory/4848-133-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4848-138-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4848-140-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download