1fa5f7be9a82c4cffd894eb71498d2ad86a850193e52ea02178800d0a35cdbab

Analysis

max time kernel
183s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 10:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fa5f7be9a82c4cffd894eb71498d2ad86a850193e52ea02178800d0a35cdbab.exe
Size

176KB
MD5

101dca1482e21af2aa8e71921bc0c7c9
SHA1

2ae066e11fe756f2ba8dbc57866680d9bc4f6322
SHA256

1fa5f7be9a82c4cffd894eb71498d2ad86a850193e52ea02178800d0a35cdbab
SHA512

4ba2b655b852931bc5a23aca4363a3b9468dfb2897be96e17c9a04940bc512b1bc49894385190f27ea80b18c59afe883711e3e034791f6de172308418d7102d0
SSDEEP

1536:YE/v3Gauw4eSU9A8tJyjlHQA7Mvi3zyXdTDGmnyZyonvZvRbcUC7iwG586P:PAw4eSD8tJel3eXdTD5MnvZvsiF5

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4180	ijnafg.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\usdat\\command	ijnafg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ijnafg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\usdat	ijnafg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\usdat	ijnafg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	ijnafg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ijnafg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	ijnafg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1808	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 3604	3492	1fa5f7be9a82c4cffd894eb71498d2ad86a850193e52ea02178800d0a35cdbab.exe	80
PID 3492 wrote to memory of 3604	3492	1fa5f7be9a82c4cffd894eb71498d2ad86a850193e52ea02178800d0a35cdbab.exe	80
PID 3492 wrote to memory of 3604	3492	1fa5f7be9a82c4cffd894eb71498d2ad86a850193e52ea02178800d0a35cdbab.exe	80
PID 3604 wrote to memory of 4180	3604	cmd.exe	82
PID 3604 wrote to memory of 4180	3604	cmd.exe	82
PID 3604 wrote to memory of 4180	3604	cmd.exe	82
PID 3604 wrote to memory of 1808	3604	cmd.exe	83
PID 3604 wrote to memory of 1808	3604	cmd.exe	83
PID 3604 wrote to memory of 1808	3604	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\1fa5f7be9a82c4cffd894eb71498d2ad86a850193e52ea02178800d0a35cdbab.exe
"C:\Users\Admin\AppData\Local\Temp\1fa5f7be9a82c4cffd894eb71498d2ad86a850193e52ea02178800d0a35cdbab.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aykixbo.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Users\Admin\AppData\Local\Temp\ijnafg.exe
    "C:\Users\Admin\AppData\Local\Temp\ijnafg.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:4180
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aykixbo.bat

Filesize
124B

MD5
eb0b0da9706295fc620a21f743b81e00

SHA1
7bf17f4f5c0342bba4707291dcd6379b4090066f

SHA256
fb3f03b42aa212cebab9aada9147e8e25c85d82fa7fce32c58ee62d1f3a32f4a

SHA512
fb7eb25cf3c9895f870156dc37c2032cc0073360c95b12f2b748f8338b0f9b55f4e6a4f15553fc40fc5c6f0b4f8a2d46ba9fc85920d79304067d2bf78ed2e4e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ijnafg.exe

Filesize
140KB

MD5
10012ef9314249dec3a2907a5dad684d

SHA1
82178da0c553b963819b161d492aea1ecee98820

SHA256
136be0e450fa7c1fdc0cd7ba630b7a8da940bb4c1c89cdbeca6c320aa675631a

SHA512
4334f1ac34b610fdc15ab793af72595fccbc73671159ed6ec3ae41703d4c78ae4a6133475b2a46066e7a409d1e0bcf7ffc3e864043e868a0d9ccbc404402d9ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\ijnafg.exe

Filesize
140KB

MD5
10012ef9314249dec3a2907a5dad684d

SHA1
82178da0c553b963819b161d492aea1ecee98820

SHA256
136be0e450fa7c1fdc0cd7ba630b7a8da940bb4c1c89cdbeca6c320aa675631a

SHA512
4334f1ac34b610fdc15ab793af72595fccbc73671159ed6ec3ae41703d4c78ae4a6133475b2a46066e7a409d1e0bcf7ffc3e864043e868a0d9ccbc404402d9ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\ongnex.bat

Filesize
188B

MD5
e4047101e16292cc594acc752e9651b7

SHA1
6f3cbd9f531b978d4083826bdb9c2221ab2ba3de

SHA256
2decd4ac7921dcd26e23827532a07ab9addaceb31721cbed79c39ea9cc76be5e

SHA512
87e608003eddfbb1b729fd456fbc809b173e108eaa2c827f5842a824399b27260e5479d3b958db7e8dd8b2d77790dc988bd9926c4f6e80054c30254128cba67d

Download Submit