4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930

General

Target

4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe
Size

839KB
MD5

7422ae285d3da809f1a58c476eafe650
SHA1

67f6af60062aacbd895c1a20eec32382bdaa5600
SHA256

4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930
SHA512

ba3ddfb38931b9790e2299b0df7fc5018009b02c32bfee2c72c49db4c598bb851f0a1679ab8dceac8521b79d529749dc355b3343ef1bc5d50f8ce5d703f86822
SSDEEP

12288:3ghm8FELJ17wCpNPjIqxuuECGDUg8Zy/cLONpB6p:3km8eHLO7BA

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3092-132-0x0000000000400000-0x00000000004D3000-memory.dmp	upx
behavioral2/memory/3092-143-0x0000000000400000-0x00000000004D3000-memory.dmp	upx
behavioral2/files/0x000a000000022f6d-145.dat	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3092 set thread context of 4912	3092	4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe	82

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4484	reg.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 4912	3092	4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe	82
PID 3092 wrote to memory of 4912	3092	4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe	82
PID 3092 wrote to memory of 4912	3092	4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe	82
PID 3092 wrote to memory of 4912	3092	4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe	82
PID 3092 wrote to memory of 4912	3092	4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe	82
PID 3092 wrote to memory of 4912	3092	4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe	82
PID 3092 wrote to memory of 4912	3092	4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe	82
PID 4912 wrote to memory of 1788	4912	4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe	83
PID 4912 wrote to memory of 1788	4912	4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe	83
PID 4912 wrote to memory of 1788	4912	4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe	83
PID 1788 wrote to memory of 4484	1788	cmd.exe	85
PID 1788 wrote to memory of 4484	1788	cmd.exe	85
PID 1788 wrote to memory of 4484	1788	cmd.exe	85
PID 1788 wrote to memory of 4148	1788	cmd.exe	86
PID 1788 wrote to memory of 4148	1788	cmd.exe	86
PID 1788 wrote to memory of 4148	1788	cmd.exe	86
PID 3092 wrote to memory of 3844	3092	4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe	87
PID 3092 wrote to memory of 3844	3092	4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe	87
PID 3092 wrote to memory of 3844	3092	4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe	87

C:\Users\Admin\AppData\Local\Temp\4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe
"C:\Users\Admin\AppData\Local\Temp\4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Users\Admin\AppData\Local\Temp\4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe
  "C:\Users\Admin\AppData\Local\Temp\4e20a9e162cf729fb04d257413a45aa98334485bc3629b74a1b45dc1b2709930.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Start.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1788
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations /v ModRiskFileTypes /t REG_SZ /d .exe /f
      4⤵
      Modifies registry key
      PID:4484
  - - C:\Windows\SysWOW64\gpupdate.exe
      gpupdate /force
      4⤵
      PID:4148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jnduf.bat
  2⤵
  PID:3844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Start.bat

Filesize
200B

MD5
9cedeb0b293d2b5491225ef3d9eb2a8b

SHA1
b607ef9bd319b6ec696c8dab8a314998d133298b

SHA256
3fc59706783a0778da9121da52a63e34e47c82f436d5b14943e14fb418fd4f08

SHA512
ec7d4544e32b1ea460895b1037a9eca2529eed45d6ee1644f83dfc4d4ad8f7c32a811ee4627bc6b243fb5d5c9e3e2b22060d6a2903692830ff1f114d2b9f3cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf.bat

Filesize
341B

MD5
baad9bb84e0165abb525652f5efdd283

SHA1
936b37d3370b657ed3fba676afc6b7205efed5d9

SHA256
7d80d0c7e937d1de6dd48bedc084d23caaab9c63f8800d6088638bbb29a0b445

SHA512
21d828f9a8b422459b5202ff7b7ab2efe51424363dd30358d44fa47dacb4cdd921aab2f9ca2f98b03de3e8d58f26d2f2674907d3b0ccd5fab94b2ab8dff9407d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf~.tmp

Filesize
839KB

MD5
923f966a7d75a412d12134b3f6e48ffe

SHA1
22d0b5bf9bb664626cf12e4ba6147c76ab52f2e5

SHA256
a79716a001a43798afc0481c905ad626956b5dd7aa14c53510a7ec4237d55fa2

SHA512
b76ca4b70bf6afda507cb4d04f18d7f19a5586d81646fb8b26c089b0a1646d61a3944951e1de05b156844dba30072d9d5a09d04bd01e2561069d3938ac6e795a

Download Submit
memory/3092-143-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/3092-132-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/4912-140-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4912-136-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4912-134-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing