e82d2671bbec4f0818305e29c5eb5064f3c1c3df2752aba086564f6a06b6a6be

Analysis

max time kernel
6s
max time network
74s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-10-2022 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e82d2671bbec4f0818305e29c5eb5064f3c1c3df2752aba086564f6a06b6a6be.exe
Size

299KB
MD5

e625e77f885ce21853cb8f27b7afe5a2
SHA1

c3112965e5d77ececd6811f221dd4fcf843a91a0
SHA256

e82d2671bbec4f0818305e29c5eb5064f3c1c3df2752aba086564f6a06b6a6be
SHA512

e49aca96bc4a652337158246067665ce812534ca4d8580e05467390c52842040931b812b44328e775523db586f4f2153e294b754a78d69c8ae46f45d74549b34
SSDEEP

3072:39mBjNnz0MyASqsq1zSpIrhg2IQBECWmThPmNTibTdhJBbZe2T3oT1IuoLs8ZsSF:tmBhgAXsKSp6pISj/d6Ti9h9Sjuyg

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
272	browsup.exe

Loads dropped DLL 1 IoCs

pid	Process
1280	e82d2671bbec4f0818305e29c5eb5064f3c1c3df2752aba086564f6a06b6a6be.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\browsup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\browsup.exe"	browsup.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	browsup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\browsup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\browsup.exe"	browsup.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	browsup.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1280	e82d2671bbec4f0818305e29c5eb5064f3c1c3df2752aba086564f6a06b6a6be.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 272	1280	e82d2671bbec4f0818305e29c5eb5064f3c1c3df2752aba086564f6a06b6a6be.exe	28
PID 1280 wrote to memory of 272	1280	e82d2671bbec4f0818305e29c5eb5064f3c1c3df2752aba086564f6a06b6a6be.exe	28
PID 1280 wrote to memory of 272	1280	e82d2671bbec4f0818305e29c5eb5064f3c1c3df2752aba086564f6a06b6a6be.exe	28
PID 1280 wrote to memory of 272	1280	e82d2671bbec4f0818305e29c5eb5064f3c1c3df2752aba086564f6a06b6a6be.exe	28

C:\Users\Admin\AppData\Local\Temp\e82d2671bbec4f0818305e29c5eb5064f3c1c3df2752aba086564f6a06b6a6be.exe
"C:\Users\Admin\AppData\Local\Temp\e82d2671bbec4f0818305e29c5eb5064f3c1c3df2752aba086564f6a06b6a6be.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Users\Admin\AppData\Local\Temp\browsup.exe
  C:\Users\Admin\AppData\Local\Temp\browsup.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\browsup.exe

Filesize
21KB

MD5
fb2023deab5f63635d5865cf8fec4fcd

SHA1
b903bf9db66cc6bc17da79f964cce998c31328ed

SHA256
4d30ddf1ac1aed51638a021d8061c93a317f8298bf1c6c6e208212c9b84124c1

SHA512
210f406d9e390d3f09d6694cee2429496c686d171294201a48035d3f241b6fdcc85a8c2dd3b6254de9a240ece016ba7a2a40f9b23baf30247560048e2ef2759a

Download Submit
\Users\Admin\AppData\Local\Temp\browsup.exe

Filesize
22KB

MD5
4f51e81a818fec09309246f8d429629c

SHA1
44a147ec92eb812a05cdcb6310843f84d02a7601

SHA256
6a0dece5ece7932f30f02b7a39b0a9b466c5de9a7e2e2a98ac2ba4d1f4dfb419

SHA512
eab16b9fa34aaf23976f53596ce1cc436aae27225d6a0c5004e8f2523f5bbb7dd3f35dc0876070230051d4a487c629212fe80c5f38c90cb5275c9247cfd7347c

Download Submit
memory/272-57-0x0000000000000000-mapping.dmp

Download
memory/272-61-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1280-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1280-55-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1280-60-0x0000000003200000-0x00000000032BD000-memory.dmp

Filesize
756KB

Download