61a20dbda35dad2dee3a16ef91608fe4a31c614e34f8ad0627d0a5012cf2f930

Analysis

max time kernel
39s
max time network
51s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61a20dbda35dad2dee3a16ef91608fe4a31c614e34f8ad0627d0a5012cf2f930.exe
Size

16KB
MD5

0c375f27b68b26a0b445abc812f22f41
SHA1

c3831815c8c2fbca14f19b95ff905e8ff9fec1aa
SHA256

61a20dbda35dad2dee3a16ef91608fe4a31c614e34f8ad0627d0a5012cf2f930
SHA512

ba6806fafd92231d2e4ae242c247490cb61e5f85e95dc2de1e10b19ef2c67371441097467a157ff12b5e568e338b3f4bd59a7956ccc33426be6c2bafc0171d10
SSDEEP

384:4HPh4MbsptIL2fagOngKJQakoMi23x7T:+PhcpGL2faga23

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1800	ld08.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00140000000054ab-56.dat	upx
behavioral1/memory/1108-59-0x0000000000400000-0x000000000040D000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1532	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ld08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sysldtray = "c:\\windows\\ld08.exe"	ld08.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\ld08.exe	61a20dbda35dad2dee3a16ef91608fe4a31c614e34f8ad0627d0a5012cf2f930.exe
File created	\??\c:\windows\ld08.exe	61a20dbda35dad2dee3a16ef91608fe4a31c614e34f8ad0627d0a5012cf2f930.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 1800	1108	61a20dbda35dad2dee3a16ef91608fe4a31c614e34f8ad0627d0a5012cf2f930.exe	27
PID 1108 wrote to memory of 1800	1108	61a20dbda35dad2dee3a16ef91608fe4a31c614e34f8ad0627d0a5012cf2f930.exe	27
PID 1108 wrote to memory of 1800	1108	61a20dbda35dad2dee3a16ef91608fe4a31c614e34f8ad0627d0a5012cf2f930.exe	27
PID 1108 wrote to memory of 1800	1108	61a20dbda35dad2dee3a16ef91608fe4a31c614e34f8ad0627d0a5012cf2f930.exe	27
PID 1108 wrote to memory of 1532	1108	61a20dbda35dad2dee3a16ef91608fe4a31c614e34f8ad0627d0a5012cf2f930.exe	28
PID 1108 wrote to memory of 1532	1108	61a20dbda35dad2dee3a16ef91608fe4a31c614e34f8ad0627d0a5012cf2f930.exe	28
PID 1108 wrote to memory of 1532	1108	61a20dbda35dad2dee3a16ef91608fe4a31c614e34f8ad0627d0a5012cf2f930.exe	28
PID 1108 wrote to memory of 1532	1108	61a20dbda35dad2dee3a16ef91608fe4a31c614e34f8ad0627d0a5012cf2f930.exe	28

C:\Users\Admin\AppData\Local\Temp\61a20dbda35dad2dee3a16ef91608fe4a31c614e34f8ad0627d0a5012cf2f930.exe
"C:\Users\Admin\AppData\Local\Temp\61a20dbda35dad2dee3a16ef91608fe4a31c614e34f8ad0627d0a5012cf2f930.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1108
- \??\c:\windows\ld08.exe
  c:\windows\ld08.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\353wer2343.bat
  2⤵
  - Deletes itself
  PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ld08.exe

Filesize
16KB

MD5
0c375f27b68b26a0b445abc812f22f41

SHA1
c3831815c8c2fbca14f19b95ff905e8ff9fec1aa

SHA256
61a20dbda35dad2dee3a16ef91608fe4a31c614e34f8ad0627d0a5012cf2f930

SHA512
ba6806fafd92231d2e4ae242c247490cb61e5f85e95dc2de1e10b19ef2c67371441097467a157ff12b5e568e338b3f4bd59a7956ccc33426be6c2bafc0171d10

Download Submit
\??\c:\353wer2343.bat

Filesize
279B

MD5
7ef1b8f03b5fe99a86b6bfb7a655eba2

SHA1
32712ea2064600f4044a5ca24ac006e7862de8a9

SHA256
b4790227b6ff094f757c5a4e259b77fd5d9c4cce2a8e831998de8fda2570ca5d

SHA512
459bff0de7d1d772d06a31f35abbc4b9292393849b67ec920a80ec8271f45cc297217ae3f559a8f067808576029db4f69d3e9084d2fd405974484bbfd76e674b

Download Submit
memory/1108-54-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download
memory/1108-59-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download