30da248bf54919f2b772db9808b355e80fe81d4eaa2292a1f892806d2267f7dd

Analysis

max time kernel
145s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30da248bf54919f2b772db9808b355e80fe81d4eaa2292a1f892806d2267f7dd.exe
Size

27KB
MD5

02a071e74d90ba72458d4ace5db35f66
SHA1

39355d5b6f60e30bf30e5171eeaf0008df9cc68a
SHA256

30da248bf54919f2b772db9808b355e80fe81d4eaa2292a1f892806d2267f7dd
SHA512

01b6acd451cc406d2bd7709093516c9da34a817058a22f5908f3c6487afe4fb1d18a2fc7b55e0fccfb21ea4676475d2aad4accee313dcf7349b8898090646f79
SSDEEP

768:zmo6KzyD2AQd2HM6sgSxGhZDKKLkGWSq6Nn1UGVn:zmo6Iy0d2dsgYcZDdLkLShn1UGVn

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2988	NTdhcp.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/380-132-0x0000000000400000-0x000000000041B240-memory.dmp	upx
behavioral2/memory/380-134-0x0000000000400000-0x000000000041B240-memory.dmp	upx
behavioral2/files/0x0009000000022e08-135.dat	upx
behavioral2/files/0x0009000000022e08-136.dat	upx
behavioral2/memory/2988-137-0x0000000000400000-0x000000000041B240-memory.dmp	upx
behavioral2/memory/2988-138-0x0000000000400000-0x000000000041B240-memory.dmp	upx
behavioral2/memory/380-140-0x0000000000400000-0x000000000041B240-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\NTdhcp.exe	30da248bf54919f2b772db9808b355e80fe81d4eaa2292a1f892806d2267f7dd.exe
File opened for modification	C:\Windows\SysWOW64\NTdhcp.exe	30da248bf54919f2b772db9808b355e80fe81d4eaa2292a1f892806d2267f7dd.exe
File opened for modification	C:\Windows\SysWOW64\NTdhcp.exe	NTdhcp.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Deleteme.bat	30da248bf54919f2b772db9808b355e80fe81d4eaa2292a1f892806d2267f7dd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 380 wrote to memory of 2988	380	30da248bf54919f2b772db9808b355e80fe81d4eaa2292a1f892806d2267f7dd.exe	80
PID 380 wrote to memory of 2988	380	30da248bf54919f2b772db9808b355e80fe81d4eaa2292a1f892806d2267f7dd.exe	80
PID 380 wrote to memory of 2988	380	30da248bf54919f2b772db9808b355e80fe81d4eaa2292a1f892806d2267f7dd.exe	80
PID 380 wrote to memory of 4780	380	30da248bf54919f2b772db9808b355e80fe81d4eaa2292a1f892806d2267f7dd.exe	81
PID 380 wrote to memory of 4780	380	30da248bf54919f2b772db9808b355e80fe81d4eaa2292a1f892806d2267f7dd.exe	81
PID 380 wrote to memory of 4780	380	30da248bf54919f2b772db9808b355e80fe81d4eaa2292a1f892806d2267f7dd.exe	81

C:\Users\Admin\AppData\Local\Temp\30da248bf54919f2b772db9808b355e80fe81d4eaa2292a1f892806d2267f7dd.exe
"C:\Users\Admin\AppData\Local\Temp\30da248bf54919f2b772db9808b355e80fe81d4eaa2292a1f892806d2267f7dd.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:380
- C:\Windows\SysWOW64\NTdhcp.exe
  C:\Windows\system32\NTdhcp.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\Deleteme.bat
  2⤵
  PID:4780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Deleteme.bat

Filesize
248B

MD5
80ea8e7d32f762ac6ee1ed7b789c9987

SHA1
ac15e2f029e668868b756236079a814c5e5a975f

SHA256
4218ac6883e34a37c1593c171893ca6a1f9dd01c87ce217454c01250271b63cb

SHA512
d7cee391fc71b3c81a3a97238d5984c07f2a17d6c8a11ce2e6abb8cbea5c6f23810087c1b07d537df680ac88f830c57c87a855d8256f706669524f37defdc711

Download Submit
C:\Windows\SysWOW64\NTdhcp.exe

Filesize
27KB

MD5
02a071e74d90ba72458d4ace5db35f66

SHA1
39355d5b6f60e30bf30e5171eeaf0008df9cc68a

SHA256
30da248bf54919f2b772db9808b355e80fe81d4eaa2292a1f892806d2267f7dd

SHA512
01b6acd451cc406d2bd7709093516c9da34a817058a22f5908f3c6487afe4fb1d18a2fc7b55e0fccfb21ea4676475d2aad4accee313dcf7349b8898090646f79

Download Submit
C:\Windows\SysWOW64\NTdhcp.exe

Filesize
27KB

MD5
02a071e74d90ba72458d4ace5db35f66

SHA1
39355d5b6f60e30bf30e5171eeaf0008df9cc68a

SHA256
30da248bf54919f2b772db9808b355e80fe81d4eaa2292a1f892806d2267f7dd

SHA512
01b6acd451cc406d2bd7709093516c9da34a817058a22f5908f3c6487afe4fb1d18a2fc7b55e0fccfb21ea4676475d2aad4accee313dcf7349b8898090646f79

Download Submit
memory/380-132-0x0000000000400000-0x000000000041B240-memory.dmp

Filesize
108KB

Download
memory/380-134-0x0000000000400000-0x000000000041B240-memory.dmp

Filesize
108KB

Download
memory/380-140-0x0000000000400000-0x000000000041B240-memory.dmp

Filesize
108KB

Download
memory/2988-137-0x0000000000400000-0x000000000041B240-memory.dmp

Filesize
108KB

Download
memory/2988-138-0x0000000000400000-0x000000000041B240-memory.dmp

Filesize
108KB

Download