9f35d3bccee84cd7f494d5077787e9b455d3fc7c6ac57c9dd5af255790b80202

Analysis

max time kernel
111s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2022, 22:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9f35d3bccee84cd7f494d5077787e9b455d3fc7c6ac57c9dd5af255790b80202.exe
Size

24KB
MD5

0c9dcb73c2da0e6b4953026c01036746
SHA1

cda2be64f5525479bcb1a70afbde27e36cd21dde
SHA256

9f35d3bccee84cd7f494d5077787e9b455d3fc7c6ac57c9dd5af255790b80202
SHA512

1fa1964f30d80e70b24b208254896abacfa6a78a16d1a5152199f933d1a2134bb99d5651a7b8b1d3aeb124da1f40a9a51b0c1d2ecf89726abe4f64bab55a54d6
SSDEEP

384:90p4j6UE5lU3nqoXPK9mzsU6DAiN9J2QlbFIuuuQNekwNek+vD5WDp3G:9EQ6UE5unqo//4UsAERbFFSy2

Score

8^/10

persistence upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4780-132-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4780-135-0x0000000000400000-0x000000000041A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	9f35d3bccee84cd7f494d5077787e9b455d3fc7c6ac57c9dd5af255790b80202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	9f35d3bccee84cd7f494d5077787e9b455d3fc7c6ac57c9dd5af255790b80202.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4780	9f35d3bccee84cd7f494d5077787e9b455d3fc7c6ac57c9dd5af255790b80202.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4780	9f35d3bccee84cd7f494d5077787e9b455d3fc7c6ac57c9dd5af255790b80202.exe
4780	9f35d3bccee84cd7f494d5077787e9b455d3fc7c6ac57c9dd5af255790b80202.exe
4780	9f35d3bccee84cd7f494d5077787e9b455d3fc7c6ac57c9dd5af255790b80202.exe

C:\Users\Admin\AppData\Local\Temp\9f35d3bccee84cd7f494d5077787e9b455d3fc7c6ac57c9dd5af255790b80202.exe
"C:\Users\Admin\AppData\Local\Temp\9f35d3bccee84cd7f494d5077787e9b455d3fc7c6ac57c9dd5af255790b80202.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4780-132-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4780-135-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download