92843d16ac8a68e65feae084152c1586a275949d0583412ae4ed1a0d4928b4a8

Analysis

max time kernel
151s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 08:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

92843d16ac8a68e65feae084152c1586a275949d0583412ae4ed1a0d4928b4a8.exe
Size

109KB
MD5

2030c31b73ae34ba1159458e6bc65b47
SHA1

e8572205e9536fad7ffa9546c97f8afc0899f295
SHA256

92843d16ac8a68e65feae084152c1586a275949d0583412ae4ed1a0d4928b4a8
SHA512

2b61d9ae555837901e1994c4e3e878c8e366e5fa2c2434c89a9c8038a32a34f1503d04f588fa64b23fec0981a0798fa3f12cc46682851effb6a80a83c253eeca
SSDEEP

1536:MujwAW+0vS54QAkItrvf4Gnyb4P3u5s3v4zFfflr/94VOvi8X4EPULSmmw8y9zI+:/X50KmJlI4R3vIflbbvpvPU2p

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1728	TSAFE_A1848.exe
960	TSAFE_B696.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1848-54-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/files/0x00140000000054ab-55.dat	upx
behavioral1/files/0x00140000000054ab-58.dat	upx
behavioral1/files/0x00140000000054ab-56.dat	upx
behavioral1/files/0x00140000000054ab-59.dat	upx
behavioral1/files/0x000900000001230c-60.dat	upx
behavioral1/files/0x000900000001230c-61.dat	upx
behavioral1/files/0x000900000001230c-63.dat	upx
behavioral1/files/0x000900000001230c-64.dat	upx
behavioral1/memory/1848-66-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1728-68-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/960-70-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1728-71-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/960-72-0x0000000000400000-0x0000000000442000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1248	cmd.exe

Loads dropped DLL 4 IoCs

pid	Process
1848	92843d16ac8a68e65feae084152c1586a275949d0583412ae4ed1a0d4928b4a8.exe
1848	92843d16ac8a68e65feae084152c1586a275949d0583412ae4ed1a0d4928b4a8.exe
1728	TSAFE_A1848.exe
1728	TSAFE_A1848.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\GGGG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TSAFE_A1848.exe"	92843d16ac8a68e65feae084152c1586a275949d0583412ae4ed1a0d4928b4a8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1848	92843d16ac8a68e65feae084152c1586a275949d0583412ae4ed1a0d4928b4a8.exe
1848	92843d16ac8a68e65feae084152c1586a275949d0583412ae4ed1a0d4928b4a8.exe
1728	TSAFE_A1848.exe
1728	TSAFE_A1848.exe
1728	TSAFE_A1848.exe
1728	TSAFE_A1848.exe
1728	TSAFE_A1848.exe
960	TSAFE_B696.exe
960	TSAFE_B696.exe
960	TSAFE_B696.exe
1728	TSAFE_A1848.exe
1728	TSAFE_A1848.exe
960	TSAFE_B696.exe
960	TSAFE_B696.exe
1728	TSAFE_A1848.exe
1728	TSAFE_A1848.exe
960	TSAFE_B696.exe
1728	TSAFE_A1848.exe
1728	TSAFE_A1848.exe
1728	TSAFE_A1848.exe
960	TSAFE_B696.exe
1728	TSAFE_A1848.exe
1728	TSAFE_A1848.exe
960	TSAFE_B696.exe
1728	TSAFE_A1848.exe
960	TSAFE_B696.exe
1728	TSAFE_A1848.exe
960	TSAFE_B696.exe
1728	TSAFE_A1848.exe
1728	TSAFE_A1848.exe
1728	TSAFE_A1848.exe
960	TSAFE_B696.exe
1728	TSAFE_A1848.exe
1728	TSAFE_A1848.exe
960	TSAFE_B696.exe
1728	TSAFE_A1848.exe
1728	TSAFE_A1848.exe
960	TSAFE_B696.exe
1728	TSAFE_A1848.exe
1728	TSAFE_A1848.exe
960	TSAFE_B696.exe
1728	TSAFE_A1848.exe
1728	TSAFE_A1848.exe
1728	TSAFE_A1848.exe
960	TSAFE_B696.exe
1728	TSAFE_A1848.exe
1728	TSAFE_A1848.exe
960	TSAFE_B696.exe
1728	TSAFE_A1848.exe
1728	TSAFE_A1848.exe
960	TSAFE_B696.exe
1728	TSAFE_A1848.exe
1728	TSAFE_A1848.exe
960	TSAFE_B696.exe
1728	TSAFE_A1848.exe
1728	TSAFE_A1848.exe
1728	TSAFE_A1848.exe
960	TSAFE_B696.exe
1728	TSAFE_A1848.exe
1728	TSAFE_A1848.exe
960	TSAFE_B696.exe
1728	TSAFE_A1848.exe
1728	TSAFE_A1848.exe
960	TSAFE_B696.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 1728	1848	92843d16ac8a68e65feae084152c1586a275949d0583412ae4ed1a0d4928b4a8.exe	28
PID 1848 wrote to memory of 1728	1848	92843d16ac8a68e65feae084152c1586a275949d0583412ae4ed1a0d4928b4a8.exe	28
PID 1848 wrote to memory of 1728	1848	92843d16ac8a68e65feae084152c1586a275949d0583412ae4ed1a0d4928b4a8.exe	28
PID 1848 wrote to memory of 1728	1848	92843d16ac8a68e65feae084152c1586a275949d0583412ae4ed1a0d4928b4a8.exe	28
PID 1728 wrote to memory of 960	1728	TSAFE_A1848.exe	29
PID 1728 wrote to memory of 960	1728	TSAFE_A1848.exe	29
PID 1728 wrote to memory of 960	1728	TSAFE_A1848.exe	29
PID 1728 wrote to memory of 960	1728	TSAFE_A1848.exe	29
PID 1848 wrote to memory of 1248	1848	92843d16ac8a68e65feae084152c1586a275949d0583412ae4ed1a0d4928b4a8.exe	30
PID 1848 wrote to memory of 1248	1848	92843d16ac8a68e65feae084152c1586a275949d0583412ae4ed1a0d4928b4a8.exe	30
PID 1848 wrote to memory of 1248	1848	92843d16ac8a68e65feae084152c1586a275949d0583412ae4ed1a0d4928b4a8.exe	30
PID 1848 wrote to memory of 1248	1848	92843d16ac8a68e65feae084152c1586a275949d0583412ae4ed1a0d4928b4a8.exe	30

C:\Users\Admin\AppData\Local\Temp\92843d16ac8a68e65feae084152c1586a275949d0583412ae4ed1a0d4928b4a8.exe
"C:\Users\Admin\AppData\Local\Temp\92843d16ac8a68e65feae084152c1586a275949d0583412ae4ed1a0d4928b4a8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\Local\Temp\TSAFE_A1848.exe
  "C:\Users\Admin\AppData\Local\Temp\TSAFE_A1848.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Users\Admin\AppData\Local\Temp\TSAFE_B696.exe
    "C:\Users\Admin\AppData\Local\Temp\TSAFE_B696.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\21D912D0.bat
  2⤵
  - Deletes itself
  PID:1248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\21D912D0.bat

Filesize
269B

MD5
219fb945e010cc89547994b4dde7b615

SHA1
4502f82049cc52fb6798da7106c5e84e5bbfc5e4

SHA256
b1e290bc4f05e0bf19a9739451656acfe456d45e0e0ab18c2c7287bde8151020

SHA512
9f91a456c5de500aed6bd4ab43b8408872f9060fac00f26cdc410b7e0695537eaf456028bf056a6b3b71faa760e72338da085a0419d95cc468d4e93a28d1cd86

Download Submit
C:\Users\Admin\AppData\Local\Temp\TSAFE_A1848.exe

Filesize
109KB

MD5
2030c31b73ae34ba1159458e6bc65b47

SHA1
e8572205e9536fad7ffa9546c97f8afc0899f295

SHA256
92843d16ac8a68e65feae084152c1586a275949d0583412ae4ed1a0d4928b4a8

SHA512
2b61d9ae555837901e1994c4e3e878c8e366e5fa2c2434c89a9c8038a32a34f1503d04f588fa64b23fec0981a0798fa3f12cc46682851effb6a80a83c253eeca

Download Submit
C:\Users\Admin\AppData\Local\Temp\TSAFE_A1848.exe

Filesize
109KB

MD5
2030c31b73ae34ba1159458e6bc65b47

SHA1
e8572205e9536fad7ffa9546c97f8afc0899f295

SHA256
92843d16ac8a68e65feae084152c1586a275949d0583412ae4ed1a0d4928b4a8

SHA512
2b61d9ae555837901e1994c4e3e878c8e366e5fa2c2434c89a9c8038a32a34f1503d04f588fa64b23fec0981a0798fa3f12cc46682851effb6a80a83c253eeca

Download Submit
C:\Users\Admin\AppData\Local\Temp\TSAFE_B696.exe

Filesize
109KB

MD5
2030c31b73ae34ba1159458e6bc65b47

SHA1
e8572205e9536fad7ffa9546c97f8afc0899f295

SHA256
92843d16ac8a68e65feae084152c1586a275949d0583412ae4ed1a0d4928b4a8

SHA512
2b61d9ae555837901e1994c4e3e878c8e366e5fa2c2434c89a9c8038a32a34f1503d04f588fa64b23fec0981a0798fa3f12cc46682851effb6a80a83c253eeca

Download Submit
C:\Users\Admin\AppData\Local\Temp\TSAFE_B696.exe

Filesize
109KB

MD5
2030c31b73ae34ba1159458e6bc65b47

SHA1
e8572205e9536fad7ffa9546c97f8afc0899f295

SHA256
92843d16ac8a68e65feae084152c1586a275949d0583412ae4ed1a0d4928b4a8

SHA512
2b61d9ae555837901e1994c4e3e878c8e366e5fa2c2434c89a9c8038a32a34f1503d04f588fa64b23fec0981a0798fa3f12cc46682851effb6a80a83c253eeca

Download Submit
\Users\Admin\AppData\Local\Temp\TSAFE_A1848.exe

Filesize
109KB

MD5
2030c31b73ae34ba1159458e6bc65b47

SHA1
e8572205e9536fad7ffa9546c97f8afc0899f295

SHA256
92843d16ac8a68e65feae084152c1586a275949d0583412ae4ed1a0d4928b4a8

SHA512
2b61d9ae555837901e1994c4e3e878c8e366e5fa2c2434c89a9c8038a32a34f1503d04f588fa64b23fec0981a0798fa3f12cc46682851effb6a80a83c253eeca

Download Submit
\Users\Admin\AppData\Local\Temp\TSAFE_A1848.exe

Filesize
109KB

MD5
2030c31b73ae34ba1159458e6bc65b47

SHA1
e8572205e9536fad7ffa9546c97f8afc0899f295

SHA256
92843d16ac8a68e65feae084152c1586a275949d0583412ae4ed1a0d4928b4a8

SHA512
2b61d9ae555837901e1994c4e3e878c8e366e5fa2c2434c89a9c8038a32a34f1503d04f588fa64b23fec0981a0798fa3f12cc46682851effb6a80a83c253eeca

Download Submit
\Users\Admin\AppData\Local\Temp\TSAFE_B696.exe

Filesize
109KB

MD5
2030c31b73ae34ba1159458e6bc65b47

SHA1
e8572205e9536fad7ffa9546c97f8afc0899f295

SHA256
92843d16ac8a68e65feae084152c1586a275949d0583412ae4ed1a0d4928b4a8

SHA512
2b61d9ae555837901e1994c4e3e878c8e366e5fa2c2434c89a9c8038a32a34f1503d04f588fa64b23fec0981a0798fa3f12cc46682851effb6a80a83c253eeca

Download Submit
\Users\Admin\AppData\Local\Temp\TSAFE_B696.exe

Filesize
109KB

MD5
2030c31b73ae34ba1159458e6bc65b47

SHA1
e8572205e9536fad7ffa9546c97f8afc0899f295

SHA256
92843d16ac8a68e65feae084152c1586a275949d0583412ae4ed1a0d4928b4a8

SHA512
2b61d9ae555837901e1994c4e3e878c8e366e5fa2c2434c89a9c8038a32a34f1503d04f588fa64b23fec0981a0798fa3f12cc46682851effb6a80a83c253eeca

Download Submit
memory/960-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/960-70-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1728-68-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1728-69-0x0000000000230000-0x0000000000272000-memory.dmp

Filesize
264KB

Download
memory/1728-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1728-73-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/1848-66-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1848-54-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download