a71c12bbd973aa4a11244a27c711652c97029b41572cd4d24e9c53962eb75a0f

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 08:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a71c12bbd973aa4a11244a27c711652c97029b41572cd4d24e9c53962eb75a0f.exe
Size

76KB
MD5

789fd7db2046197919949ab518a492f2
SHA1

21f1cd514cffbf3173b926dc2ef46c89b7a89080
SHA256

a71c12bbd973aa4a11244a27c711652c97029b41572cd4d24e9c53962eb75a0f
SHA512

2ad5830faee5466e2043e1c771e8e9f03eb7136323fe60bceea8e36b312d0ac51c1f1e7ad15d7c537d29272e5a610961ac9e11238138ad83b279a229005af62f
SSDEEP

1536:W6fJiZBLqys476t52rEF/7zdDfIgvpPs7bhAEyz:Ws64yskmoYVXdDQga7Uz

Score

8^/10

persistence upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1964-54-0x0000000000400000-0x0000000000425000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
976	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	a71c12bbd973aa4a11244a27c711652c97029b41572cd4d24e9c53962eb75a0f.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\olesau32.dll	a71c12bbd973aa4a11244a27c711652c97029b41572cd4d24e9c53962eb75a0f.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\setupball.bmp	a71c12bbd973aa4a11244a27c711652c97029b41572cd4d24e9c53962eb75a0f.exe
File opened for modification	C:\Windows\version.dat	a71c12bbd973aa4a11244a27c711652c97029b41572cd4d24e9c53962eb75a0f.exe
File opened for modification	C:\Windows\winurl.dat	a71c12bbd973aa4a11244a27c711652c97029b41572cd4d24e9c53962eb75a0f.exe
File opened for modification	C:\Windows\wintmp.dat	a71c12bbd973aa4a11244a27c711652c97029b41572cd4d24e9c53962eb75a0f.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 976	1964	a71c12bbd973aa4a11244a27c711652c97029b41572cd4d24e9c53962eb75a0f.exe	28
PID 1964 wrote to memory of 976	1964	a71c12bbd973aa4a11244a27c711652c97029b41572cd4d24e9c53962eb75a0f.exe	28
PID 1964 wrote to memory of 976	1964	a71c12bbd973aa4a11244a27c711652c97029b41572cd4d24e9c53962eb75a0f.exe	28
PID 1964 wrote to memory of 976	1964	a71c12bbd973aa4a11244a27c711652c97029b41572cd4d24e9c53962eb75a0f.exe	28
PID 976 wrote to memory of 1548	976	cmd.exe	30
PID 976 wrote to memory of 1548	976	cmd.exe	30
PID 976 wrote to memory of 1548	976	cmd.exe	30
PID 976 wrote to memory of 1548	976	cmd.exe	30

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1548	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a71c12bbd973aa4a11244a27c711652c97029b41572cd4d24e9c53962eb75a0f.exe
"C:\Users\Admin\AppData\Local\Temp\a71c12bbd973aa4a11244a27c711652c97029b41572cd4d24e9c53962eb75a0f.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\del6c76c6.bat"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Windows\SysWOW64\attrib.exe
    attrib.exe -h C:\Windows\system32\olesau32.dll
    3⤵
    - Views/modifies file attributes
    PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\del6c76c6.bat

Filesize
408B

MD5
6807defc711c4c288bedbc5bc745b4ce

SHA1
3f029dcfdbdb58c4347f854e8050bb6d7d105042

SHA256
6d1290ee3d4a947ac00bf42c6047002a2a5a3425e97229d0b79757f2a42e9488

SHA512
e13e5583ec1078019682e5ffc404c4614f30b29b53fdcb5f9b6120e927ee345d5864c2e8bd6878cf99250d22da00d1dbcb6669107b9ce1c3e7db1804d7e10156

Download Submit
memory/1964-54-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads