f3e776c7c9872cf8eb995744dbf68d8613c644ad2497d49c62e7d6882b65d0cf

Analysis

max time kernel
102s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3e776c7c9872cf8eb995744dbf68d8613c644ad2497d49c62e7d6882b65d0cf.exe
Size

296KB
MD5

107a318f8261ac53c055641b563f2383
SHA1

08b668d4dab67e23cd936e0b6016689dd301f2c1
SHA256

f3e776c7c9872cf8eb995744dbf68d8613c644ad2497d49c62e7d6882b65d0cf
SHA512

54070bc60bd13f4d54dc84e40476f0964e40b61b9c415a5fadd4572b3a1649db9715a18929aed3042162ca691bffa648dca05493bc10594b6cab5846268d661b
SSDEEP

6144:XOTe8YsLXtaNENLURxVNVdhIaGP5ZXW4bNTTK2:+TawteH33ThIb5Z1

Score

8^/10

persistence upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3836-132-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/3836-133-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/3836-134-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f3e776c7c9872cf8eb995744dbf68d8613c644ad2497d49c62e7d6882b65d0cf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f3e776c7c9872cf8eb995744dbf68d8613c644ad2497d49c62e7d6882b65d0cf.exe"	f3e776c7c9872cf8eb995744dbf68d8613c644ad2497d49c62e7d6882b65d0cf.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3836	f3e776c7c9872cf8eb995744dbf68d8613c644ad2497d49c62e7d6882b65d0cf.exe
3836	f3e776c7c9872cf8eb995744dbf68d8613c644ad2497d49c62e7d6882b65d0cf.exe

C:\Users\Admin\AppData\Local\Temp\f3e776c7c9872cf8eb995744dbf68d8613c644ad2497d49c62e7d6882b65d0cf.exe
"C:\Users\Admin\AppData\Local\Temp\f3e776c7c9872cf8eb995744dbf68d8613c644ad2497d49c62e7d6882b65d0cf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3836-132-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3836-133-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3836-134-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download