e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6

Analysis

max time kernel
152s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2022 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
Size

418KB
MD5

4865003b4393c7c2cff41dc5acc37b99
SHA1

6712b5fe91d6a3e3ff590c242eb8d3b2cd9a69d1
SHA256

e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6
SHA512

57ce4fbf4b5af17713933e157da60f9c6fca9f56c2ffe49eb971c3a780fe1b4f6f1ed551fa0b875c244f7592c954b35c14b8e89bf60637d91c7c2ff2e5a825c8
SSDEEP

12288:BU0x2XOo3+GOrFhyzUfdSWJpzqt9kpIsce:B6XOo3mFIzyEWJlq7T

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4264	kGa24512mNdEd24512.exe
3536	kGa24512mNdEd24512.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/652-132-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/4264-136-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/3536-140-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/652-141-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/4264-142-0x0000000000400000-0x00000000004C8000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kGa24512mNdEd24512 = "C:\\ProgramData\\kGa24512mNdEd24512\\kGa24512mNdEd24512.exe"	kGa24512mNdEd24512.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
4264	kGa24512mNdEd24512.exe
4264	kGa24512mNdEd24512.exe
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
4264	kGa24512mNdEd24512.exe
4264	kGa24512mNdEd24512.exe
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
4264	kGa24512mNdEd24512.exe
4264	kGa24512mNdEd24512.exe
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
4264	kGa24512mNdEd24512.exe
4264	kGa24512mNdEd24512.exe
4264	kGa24512mNdEd24512.exe
4264	kGa24512mNdEd24512.exe
4264	kGa24512mNdEd24512.exe
4264	kGa24512mNdEd24512.exe
4264	kGa24512mNdEd24512.exe
4264	kGa24512mNdEd24512.exe
4264	kGa24512mNdEd24512.exe
4264	kGa24512mNdEd24512.exe
4264	kGa24512mNdEd24512.exe
4264	kGa24512mNdEd24512.exe
4264	kGa24512mNdEd24512.exe
4264	kGa24512mNdEd24512.exe
3536	kGa24512mNdEd24512.exe
3536	kGa24512mNdEd24512.exe
4264	kGa24512mNdEd24512.exe
4264	kGa24512mNdEd24512.exe
3536	kGa24512mNdEd24512.exe
3536	kGa24512mNdEd24512.exe
4264	kGa24512mNdEd24512.exe
4264	kGa24512mNdEd24512.exe
3536	kGa24512mNdEd24512.exe
3536	kGa24512mNdEd24512.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
Token: SeDebugPrivilege	4264	kGa24512mNdEd24512.exe
Token: SeDebugPrivilege	3536	kGa24512mNdEd24512.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3536	kGa24512mNdEd24512.exe
3536	kGa24512mNdEd24512.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3536	kGa24512mNdEd24512.exe
3536	kGa24512mNdEd24512.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3536	kGa24512mNdEd24512.exe
3536	kGa24512mNdEd24512.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 652 wrote to memory of 4264	652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe	84
PID 652 wrote to memory of 4264	652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe	84
PID 652 wrote to memory of 4264	652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe	84
PID 652 wrote to memory of 3536	652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe	85
PID 652 wrote to memory of 3536	652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe	85
PID 652 wrote to memory of 3536	652	e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe	85

C:\Users\Admin\AppData\Local\Temp\e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe
"C:\Users\Admin\AppData\Local\Temp\e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:652
- C:\ProgramData\kGa24512mNdEd24512\kGa24512mNdEd24512.exe
  "C:\ProgramData\kGa24512mNdEd24512\kGa24512mNdEd24512.exe" BOMBARDAMAXIMUM
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4264
- C:\ProgramData\kGa24512mNdEd24512\kGa24512mNdEd24512.exe
  "C:\ProgramData\kGa24512mNdEd24512\kGa24512mNdEd24512.exe" "C:\Users\Admin\AppData\Local\Temp\e4d610a0b4d96ba16a565695d3217216b45acd66fa647081a46ad77dc7b795d6.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kGa24512mNdEd24512\kGa24512mNdEd24512

Filesize
192B

MD5
d1797f272a7c09af7ea4b48d78ca466d

SHA1
725a40a9bb74ec8262c65926dd413dcbc7879c0c

SHA256
22c68ec03a604b2085c6d03423ad058a043baa2098294ef26a35da5ee2a2a2df

SHA512
388807218897f20f46107d04ba3c633ef6984070a1c050877d6a861fe8413d9120f3cb5106a0ef25482e7ed3ed267e6278d3078c2ebb34b54268123c2fd3f52b

Download Submit
C:\ProgramData\kGa24512mNdEd24512\kGa24512mNdEd24512.exe

Filesize
418KB

MD5
e0dc212268baf5d6f411a213c08f15b3

SHA1
1d75b1b1e7971ef1b08c02913540e3a5ed5010b2

SHA256
eea0ac891f9e2885e62a26f8d31bf4b3b1ea732868216f19c5d130428f7fe6cc

SHA512
17dcfd22c9296d6fb2adcbfb1ed1912586a3f2ae3902212e97f3027abb2e661a745172d4635b89138a9be7bbb5a61bebd127a422fd37bdbaa9dbb9b077436e14

Download Submit
C:\ProgramData\kGa24512mNdEd24512\kGa24512mNdEd24512.exe

Filesize
418KB

MD5
e0dc212268baf5d6f411a213c08f15b3

SHA1
1d75b1b1e7971ef1b08c02913540e3a5ed5010b2

SHA256
eea0ac891f9e2885e62a26f8d31bf4b3b1ea732868216f19c5d130428f7fe6cc

SHA512
17dcfd22c9296d6fb2adcbfb1ed1912586a3f2ae3902212e97f3027abb2e661a745172d4635b89138a9be7bbb5a61bebd127a422fd37bdbaa9dbb9b077436e14

Download Submit
C:\ProgramData\kGa24512mNdEd24512\kGa24512mNdEd24512.exe

Filesize
418KB

MD5
e0dc212268baf5d6f411a213c08f15b3

SHA1
1d75b1b1e7971ef1b08c02913540e3a5ed5010b2

SHA256
eea0ac891f9e2885e62a26f8d31bf4b3b1ea732868216f19c5d130428f7fe6cc

SHA512
17dcfd22c9296d6fb2adcbfb1ed1912586a3f2ae3902212e97f3027abb2e661a745172d4635b89138a9be7bbb5a61bebd127a422fd37bdbaa9dbb9b077436e14

Download Submit
memory/652-132-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/652-141-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3536-137-0x0000000000000000-mapping.dmp

Download
memory/3536-140-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/4264-133-0x0000000000000000-mapping.dmp

Download
memory/4264-136-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/4264-142-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download