4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930

Analysis

max time kernel
21s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe
Size

839KB
MD5

7422ae285d3da809f1a58c476eafe650
SHA1

67f6af60062aacbd895c1a20eec32382bdaa5600
SHA256

4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930
SHA512

ba3ddfb38931b9790e2299b0df7fc5018009b02c32bfee2c72c49db4c598bb851f0a1679ab8dceac8521b79d529749dc355b3343ef1bc5d50f8ce5d703f86822
SSDEEP

12288:3ghm8FELJ17wCpNPjIqxuuECGDUg8Zy/cLONpB6p:3km8eHLO7BA

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1992-70-0x0000000000400000-0x00000000004D3000-memory.dmp	upx
behavioral1/files/0x0009000000012677-74.dat	upx

Deletes itself 1 IoCs

pid	Process
1204	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1992 set thread context of 904	1992	4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe	28

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2004	reg.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 904	1992	4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe	28
PID 1992 wrote to memory of 904	1992	4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe	28
PID 1992 wrote to memory of 904	1992	4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe	28
PID 1992 wrote to memory of 904	1992	4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe	28
PID 1992 wrote to memory of 904	1992	4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe	28
PID 1992 wrote to memory of 904	1992	4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe	28
PID 1992 wrote to memory of 904	1992	4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe	28
PID 1992 wrote to memory of 904	1992	4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe	28
PID 904 wrote to memory of 1540	904	4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe	29
PID 904 wrote to memory of 1540	904	4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe	29
PID 904 wrote to memory of 1540	904	4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe	29
PID 904 wrote to memory of 1540	904	4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe	29
PID 1992 wrote to memory of 1204	1992	4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe	31
PID 1992 wrote to memory of 1204	1992	4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe	31
PID 1992 wrote to memory of 1204	1992	4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe	31
PID 1992 wrote to memory of 1204	1992	4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe	31
PID 1540 wrote to memory of 2004	1540	cmd.exe	33
PID 1540 wrote to memory of 2004	1540	cmd.exe	33
PID 1540 wrote to memory of 2004	1540	cmd.exe	33
PID 1540 wrote to memory of 2004	1540	cmd.exe	33
PID 1540 wrote to memory of 572	1540	cmd.exe	34
PID 1540 wrote to memory of 572	1540	cmd.exe	34
PID 1540 wrote to memory of 572	1540	cmd.exe	34
PID 1540 wrote to memory of 572	1540	cmd.exe	34
PID 1540 wrote to memory of 572	1540	cmd.exe	34
PID 1540 wrote to memory of 572	1540	cmd.exe	34
PID 1540 wrote to memory of 572	1540	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe
"C:\Users\Admin\AppData\Local\Temp\4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe
  "C:\Users\Admin\AppData\Local\Temp\4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Start.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations /v ModRiskFileTypes /t REG_SZ /d .exe /f
      4⤵
      Modifies registry key
      PID:2004
  - - C:\Windows\SysWOW64\gpupdate.exe
      gpupdate /force
      4⤵
      PID:572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\jnduf.bat
  2⤵
  - Deletes itself
  PID:1204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Start.bat

Filesize
200B

MD5
9cedeb0b293d2b5491225ef3d9eb2a8b

SHA1
b607ef9bd319b6ec696c8dab8a314998d133298b

SHA256
3fc59706783a0778da9121da52a63e34e47c82f436d5b14943e14fb418fd4f08

SHA512
ec7d4544e32b1ea460895b1037a9eca2529eed45d6ee1644f83dfc4d4ad8f7c32a811ee4627bc6b243fb5d5c9e3e2b22060d6a2903692830ff1f114d2b9f3cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf.bat

Filesize
341B

MD5
baad9bb84e0165abb525652f5efdd283

SHA1
936b37d3370b657ed3fba676afc6b7205efed5d9

SHA256
7d80d0c7e937d1de6dd48bedc084d23caaab9c63f8800d6088638bbb29a0b445

SHA512
21d828f9a8b422459b5202ff7b7ab2efe51424363dd30358d44fa47dacb4cdd921aab2f9ca2f98b03de3e8d58f26d2f2674907d3b0ccd5fab94b2ab8dff9407d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf~.tmp

Filesize
839KB

MD5
bdbb57d24c2d4c5056f1f83625e03ae1

SHA1
1c9c33663137ea891f4ebd058ff82cc1b01c12cb

SHA256
998fd248995f71f05ed9c1ad94297c5e0c8e3bdf58753d378adf824df644d91c

SHA512
3465aa9e01ac7bfdcf65e30c877f00eec93deb63729e2501a7656beeb47400de3eb3f16b4a788fd5c128ed77735f420adc23d51c770cc95f75d6134112e04db0

Download Submit
memory/904-62-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/904-60-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/904-66-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/904-58-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/904-68-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/904-56-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/904-55-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1992-71-0x00000000022A0000-0x0000000002373000-memory.dmp

Filesize
844KB

Download
memory/1992-70-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/1992-54-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download