9f16444514779d49f91d2d0b257832b265f21aba95bce43a2329628dd3003180

General

Target

9f16444514779d49f91d2d0b257832b265f21aba95bce43a2329628dd3003180.exe
Size

12KB
MD5

0c70c6de357762e3de7f8b858286bc61
SHA1

65b51f7c8a8c9a0e0dcee07e6afb17ac2cd490af
SHA256

9f16444514779d49f91d2d0b257832b265f21aba95bce43a2329628dd3003180
SHA512

44c715ff00a51b076690984a7589a2f05f127a98fd57633430624c2e18f67249b66059db4a3ed5a81f73ea1388c2e85868b364fdd2f18155015e68268768423b
SSDEEP

192:D9ElUZBCpaMfnGXcvVSXnmwsqC5P8scrmJevY7SDsNswMurYjF30g:D9IUwRPWXnmMC5P8T6JeAvNsw8Eg

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
888	sunesnk.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1628-54-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/files/0x000a0000000139f2-55.dat	upx
behavioral1/memory/1628-56-0x0000000000230000-0x000000000023E000-memory.dmp	upx
behavioral1/files/0x000a0000000139f2-57.dat	upx
behavioral1/files/0x000a0000000139f2-59.dat	upx
behavioral1/memory/1628-60-0x0000000000230000-0x000000000023E000-memory.dmp	upx
behavioral1/memory/888-61-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1628-62-0x0000000000230000-0x000000000023E000-memory.dmp	upx
behavioral1/memory/1628-64-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1928	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1628	9f16444514779d49f91d2d0b257832b265f21aba95bce43a2329628dd3003180.exe
1628	9f16444514779d49f91d2d0b257832b265f21aba95bce43a2329628dd3003180.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sunesn.dll	9f16444514779d49f91d2d0b257832b265f21aba95bce43a2329628dd3003180.exe
File created	C:\Windows\SysWOW64\sunesnk.exe	9f16444514779d49f91d2d0b257832b265f21aba95bce43a2329628dd3003180.exe
File opened for modification	C:\Windows\SysWOW64\sunesnk.exe	9f16444514779d49f91d2d0b257832b265f21aba95bce43a2329628dd3003180.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1628	9f16444514779d49f91d2d0b257832b265f21aba95bce43a2329628dd3003180.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 888	1628	9f16444514779d49f91d2d0b257832b265f21aba95bce43a2329628dd3003180.exe	27
PID 1628 wrote to memory of 888	1628	9f16444514779d49f91d2d0b257832b265f21aba95bce43a2329628dd3003180.exe	27
PID 1628 wrote to memory of 888	1628	9f16444514779d49f91d2d0b257832b265f21aba95bce43a2329628dd3003180.exe	27
PID 1628 wrote to memory of 888	1628	9f16444514779d49f91d2d0b257832b265f21aba95bce43a2329628dd3003180.exe	27
PID 1628 wrote to memory of 1928	1628	9f16444514779d49f91d2d0b257832b265f21aba95bce43a2329628dd3003180.exe	28
PID 1628 wrote to memory of 1928	1628	9f16444514779d49f91d2d0b257832b265f21aba95bce43a2329628dd3003180.exe	28
PID 1628 wrote to memory of 1928	1628	9f16444514779d49f91d2d0b257832b265f21aba95bce43a2329628dd3003180.exe	28
PID 1628 wrote to memory of 1928	1628	9f16444514779d49f91d2d0b257832b265f21aba95bce43a2329628dd3003180.exe	28

C:\Users\Admin\AppData\Local\Temp\9f16444514779d49f91d2d0b257832b265f21aba95bce43a2329628dd3003180.exe
"C:\Users\Admin\AppData\Local\Temp\9f16444514779d49f91d2d0b257832b265f21aba95bce43a2329628dd3003180.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\SysWOW64\sunesnk.exe
  C:\Windows\system32\sunesnk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\9f16444514779d49f91d2d0b257832b265f21aba95bce43a2329628dd3003180.exe.bat
  2⤵
  - Deletes itself
  PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9f16444514779d49f91d2d0b257832b265f21aba95bce43a2329628dd3003180.exe.bat

Filesize
246B

MD5
09cdfc83b810599d2b073ec6c44cfe4b

SHA1
b8e796a92fce861463f9a40839cf84bfa8ae5505

SHA256
6010e9a1354e9a6640bb5266f20b88e9574ac1e7280bdb90333010c8fad66386

SHA512
8992722180855f09344b85fc386989e8234e6ab9f9a941c01400f29a9ab7ad5d2a267056e8adcb6a010b76177bfde90caf784ce257d849e172650cf34b21e059

Download Submit
C:\Windows\SysWOW64\sunesnk.exe

Filesize
12KB

MD5
0c70c6de357762e3de7f8b858286bc61

SHA1
65b51f7c8a8c9a0e0dcee07e6afb17ac2cd490af

SHA256
9f16444514779d49f91d2d0b257832b265f21aba95bce43a2329628dd3003180

SHA512
44c715ff00a51b076690984a7589a2f05f127a98fd57633430624c2e18f67249b66059db4a3ed5a81f73ea1388c2e85868b364fdd2f18155015e68268768423b

Download Submit
\Windows\SysWOW64\sunesnk.exe

Filesize
12KB

MD5
0c70c6de357762e3de7f8b858286bc61

SHA1
65b51f7c8a8c9a0e0dcee07e6afb17ac2cd490af

SHA256
9f16444514779d49f91d2d0b257832b265f21aba95bce43a2329628dd3003180

SHA512
44c715ff00a51b076690984a7589a2f05f127a98fd57633430624c2e18f67249b66059db4a3ed5a81f73ea1388c2e85868b364fdd2f18155015e68268768423b

Download Submit
\Windows\SysWOW64\sunesnk.exe

Filesize
12KB

MD5
0c70c6de357762e3de7f8b858286bc61

SHA1
65b51f7c8a8c9a0e0dcee07e6afb17ac2cd490af

SHA256
9f16444514779d49f91d2d0b257832b265f21aba95bce43a2329628dd3003180

SHA512
44c715ff00a51b076690984a7589a2f05f127a98fd57633430624c2e18f67249b66059db4a3ed5a81f73ea1388c2e85868b364fdd2f18155015e68268768423b

Download Submit
memory/888-61-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1628-54-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1628-56-0x0000000000230000-0x000000000023E000-memory.dmp

Filesize
56KB

Download
memory/1628-60-0x0000000000230000-0x000000000023E000-memory.dmp

Filesize
56KB

Download
memory/1628-62-0x0000000000230000-0x000000000023E000-memory.dmp

Filesize
56KB

Download
memory/1628-64-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing