a99320d32455a56b40bede5fb58311f4db24e6722fa20c832e24c8671b324fd6

Analysis

max time kernel
178s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 20:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a99320d32455a56b40bede5fb58311f4db24e6722fa20c832e24c8671b324fd6.exe
Size

960KB
MD5

010a873fc31e36275b8389368bf67cb5
SHA1

2e2d9ae0ca913fb61e10ef144b25fa04e75fa09f
SHA256

a99320d32455a56b40bede5fb58311f4db24e6722fa20c832e24c8671b324fd6
SHA512

361ab6f1bea734f4aaab30a08782aed0cded004c16638837877fe906e2c84a739e63282033bb9b10baed4f5d5e12dfdd218b6c10bcb5c8b7d8173a51df54075e
SSDEEP

6144:CS+M0ROoZ04CUpNZ7xbKoV2cN+P31ja/VozMUqKf7:CS+MgLCUpn7xbNZN+P31ja/NvK

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
4052	registry.exe
4712	registry.exe
4284	registry.exe
1480	registry.exe
4992	registry.exe
1792	registry.exe
4316	registry.exe
1000	registry.exe
2808	registry.exe
3680	registry.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4968-132-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral2/files/0x0007000000022e6c-134.dat	upx
behavioral2/files/0x0007000000022e6c-135.dat	upx
behavioral2/memory/4968-136-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral2/memory/4052-137-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral2/files/0x0007000000022e6c-139.dat	upx
behavioral2/memory/4712-140-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral2/files/0x0007000000022e6c-142.dat	upx
behavioral2/memory/4284-143-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral2/files/0x0007000000022e6c-145.dat	upx
behavioral2/memory/1480-146-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral2/files/0x0007000000022e6c-148.dat	upx
behavioral2/memory/4992-149-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral2/files/0x0007000000022e6c-151.dat	upx
behavioral2/memory/1792-152-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral2/files/0x0007000000022e6c-154.dat	upx
behavioral2/memory/4316-155-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral2/files/0x0007000000022e6c-157.dat	upx
behavioral2/memory/1000-158-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral2/files/0x0007000000022e6c-160.dat	upx
behavioral2/memory/2808-161-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral2/files/0x0007000000022e6c-163.dat	upx
behavioral2/memory/3680-164-0x0000000000400000-0x00000000004F2000-memory.dmp	upx

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\registry.exe	registry.exe
File opened for modification	C:\Windows\SysWOW64\registry.exe	registry.exe
File opened for modification	C:\Windows\SysWOW64\registry.exe	registry.exe
File created	C:\Windows\SysWOW64\registry.exe	registry.exe
File created	C:\Windows\SysWOW64\registry.exe	registry.exe
File created	C:\Windows\SysWOW64\registry.exe	registry.exe
File created	C:\Windows\SysWOW64\registry.exe	registry.exe
File opened for modification	C:\Windows\SysWOW64\registry.exe	registry.exe
File created	C:\Windows\SysWOW64\registry.exe	a99320d32455a56b40bede5fb58311f4db24e6722fa20c832e24c8671b324fd6.exe
File opened for modification	C:\Windows\SysWOW64\registry.exe	registry.exe
File opened for modification	C:\Windows\SysWOW64\registry.exe	registry.exe
File created	C:\Windows\SysWOW64\registry.exe	registry.exe
File created	C:\Windows\SysWOW64\registry.exe	registry.exe
File opened for modification	C:\Windows\SysWOW64\registry.exe	registry.exe
File opened for modification	C:\Windows\SysWOW64\registry.exe	registry.exe
File created	C:\Windows\SysWOW64\registry.exe	registry.exe
File opened for modification	C:\Windows\SysWOW64\registry.exe	registry.exe
File created	C:\Windows\SysWOW64\registry.exe	registry.exe
File created	C:\Windows\SysWOW64\registry.exe	registry.exe
File opened for modification	C:\Windows\SysWOW64\registry.exe	a99320d32455a56b40bede5fb58311f4db24e6722fa20c832e24c8671b324fd6.exe
File opened for modification	C:\Windows\SysWOW64\registry.exe	registry.exe
File created	C:\Windows\SysWOW64\registry.exe	registry.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 4052	4968	a99320d32455a56b40bede5fb58311f4db24e6722fa20c832e24c8671b324fd6.exe	80
PID 4968 wrote to memory of 4052	4968	a99320d32455a56b40bede5fb58311f4db24e6722fa20c832e24c8671b324fd6.exe	80
PID 4968 wrote to memory of 4052	4968	a99320d32455a56b40bede5fb58311f4db24e6722fa20c832e24c8671b324fd6.exe	80
PID 4052 wrote to memory of 4712	4052	registry.exe	83
PID 4052 wrote to memory of 4712	4052	registry.exe	83
PID 4052 wrote to memory of 4712	4052	registry.exe	83
PID 4712 wrote to memory of 4284	4712	registry.exe	84
PID 4712 wrote to memory of 4284	4712	registry.exe	84
PID 4712 wrote to memory of 4284	4712	registry.exe	84
PID 4284 wrote to memory of 1480	4284	registry.exe	85
PID 4284 wrote to memory of 1480	4284	registry.exe	85
PID 4284 wrote to memory of 1480	4284	registry.exe	85
PID 1480 wrote to memory of 4992	1480	registry.exe	89
PID 1480 wrote to memory of 4992	1480	registry.exe	89
PID 1480 wrote to memory of 4992	1480	registry.exe	89
PID 4992 wrote to memory of 1792	4992	registry.exe	93
PID 4992 wrote to memory of 1792	4992	registry.exe	93
PID 4992 wrote to memory of 1792	4992	registry.exe	93
PID 1792 wrote to memory of 4316	1792	registry.exe	94
PID 1792 wrote to memory of 4316	1792	registry.exe	94
PID 1792 wrote to memory of 4316	1792	registry.exe	94
PID 4316 wrote to memory of 1000	4316	registry.exe	95
PID 4316 wrote to memory of 1000	4316	registry.exe	95
PID 4316 wrote to memory of 1000	4316	registry.exe	95
PID 1000 wrote to memory of 2808	1000	registry.exe	96
PID 1000 wrote to memory of 2808	1000	registry.exe	96
PID 1000 wrote to memory of 2808	1000	registry.exe	96
PID 2808 wrote to memory of 3680	2808	registry.exe	97
PID 2808 wrote to memory of 3680	2808	registry.exe	97
PID 2808 wrote to memory of 3680	2808	registry.exe	97

C:\Users\Admin\AppData\Local\Temp\a99320d32455a56b40bede5fb58311f4db24e6722fa20c832e24c8671b324fd6.exe
"C:\Users\Admin\AppData\Local\Temp\a99320d32455a56b40bede5fb58311f4db24e6722fa20c832e24c8671b324fd6.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Windows\SysWOW64\registry.exe
  C:\Windows\system32\registry.exe 1152 "C:\Users\Admin\AppData\Local\Temp\a99320d32455a56b40bede5fb58311f4db24e6722fa20c832e24c8671b324fd6.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Windows\SysWOW64\registry.exe
    C:\Windows\system32\registry.exe 1148 "C:\Windows\SysWOW64\registry.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4712
  - - C:\Windows\SysWOW64\registry.exe
      C:\Windows\system32\registry.exe 1120 "C:\Windows\SysWOW64\registry.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4284
    - - C:\Windows\SysWOW64\registry.exe
        
        C:\Windows\system32\registry.exe 1124 "C:\Windows\SysWOW64\registry.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1480
      - C:\Windows\SysWOW64\registry.exe
        
        C:\Windows\system32\registry.exe 1132 "C:\Windows\SysWOW64\registry.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\registry.exe
        
        C:\Windows\system32\registry.exe 1140 "C:\Windows\SysWOW64\registry.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\registry.exe
        
        C:\Windows\system32\registry.exe 1136 "C:\Windows\SysWOW64\registry.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\registry.exe
        
        C:\Windows\system32\registry.exe 1128 "C:\Windows\SysWOW64\registry.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\registry.exe
        
        C:\Windows\system32\registry.exe 1144 "C:\Windows\SysWOW64\registry.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\registry.exe
        
        C:\Windows\system32\registry.exe 1156 "C:\Windows\SysWOW64\registry.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\registry.exe

Filesize
960KB

MD5
010a873fc31e36275b8389368bf67cb5

SHA1
2e2d9ae0ca913fb61e10ef144b25fa04e75fa09f

SHA256
a99320d32455a56b40bede5fb58311f4db24e6722fa20c832e24c8671b324fd6

SHA512
361ab6f1bea734f4aaab30a08782aed0cded004c16638837877fe906e2c84a739e63282033bb9b10baed4f5d5e12dfdd218b6c10bcb5c8b7d8173a51df54075e

Download Submit
C:\Windows\SysWOW64\registry.exe

Filesize
960KB

MD5
010a873fc31e36275b8389368bf67cb5

SHA1
2e2d9ae0ca913fb61e10ef144b25fa04e75fa09f

SHA256
a99320d32455a56b40bede5fb58311f4db24e6722fa20c832e24c8671b324fd6

SHA512
361ab6f1bea734f4aaab30a08782aed0cded004c16638837877fe906e2c84a739e63282033bb9b10baed4f5d5e12dfdd218b6c10bcb5c8b7d8173a51df54075e

Download Submit
C:\Windows\SysWOW64\registry.exe

Filesize
960KB

MD5
010a873fc31e36275b8389368bf67cb5

SHA1
2e2d9ae0ca913fb61e10ef144b25fa04e75fa09f

SHA256
a99320d32455a56b40bede5fb58311f4db24e6722fa20c832e24c8671b324fd6

SHA512
361ab6f1bea734f4aaab30a08782aed0cded004c16638837877fe906e2c84a739e63282033bb9b10baed4f5d5e12dfdd218b6c10bcb5c8b7d8173a51df54075e

Download Submit
C:\Windows\SysWOW64\registry.exe

Filesize
960KB

MD5
010a873fc31e36275b8389368bf67cb5

SHA1
2e2d9ae0ca913fb61e10ef144b25fa04e75fa09f

SHA256
a99320d32455a56b40bede5fb58311f4db24e6722fa20c832e24c8671b324fd6

SHA512
361ab6f1bea734f4aaab30a08782aed0cded004c16638837877fe906e2c84a739e63282033bb9b10baed4f5d5e12dfdd218b6c10bcb5c8b7d8173a51df54075e

Download Submit
C:\Windows\SysWOW64\registry.exe

Filesize
960KB

MD5
010a873fc31e36275b8389368bf67cb5

SHA1
2e2d9ae0ca913fb61e10ef144b25fa04e75fa09f

SHA256
a99320d32455a56b40bede5fb58311f4db24e6722fa20c832e24c8671b324fd6

SHA512
361ab6f1bea734f4aaab30a08782aed0cded004c16638837877fe906e2c84a739e63282033bb9b10baed4f5d5e12dfdd218b6c10bcb5c8b7d8173a51df54075e

Download Submit
C:\Windows\SysWOW64\registry.exe

Filesize
960KB

MD5
010a873fc31e36275b8389368bf67cb5

SHA1
2e2d9ae0ca913fb61e10ef144b25fa04e75fa09f

SHA256
a99320d32455a56b40bede5fb58311f4db24e6722fa20c832e24c8671b324fd6

SHA512
361ab6f1bea734f4aaab30a08782aed0cded004c16638837877fe906e2c84a739e63282033bb9b10baed4f5d5e12dfdd218b6c10bcb5c8b7d8173a51df54075e

Download Submit
C:\Windows\SysWOW64\registry.exe

Filesize
960KB

MD5
010a873fc31e36275b8389368bf67cb5

SHA1
2e2d9ae0ca913fb61e10ef144b25fa04e75fa09f

SHA256
a99320d32455a56b40bede5fb58311f4db24e6722fa20c832e24c8671b324fd6

SHA512
361ab6f1bea734f4aaab30a08782aed0cded004c16638837877fe906e2c84a739e63282033bb9b10baed4f5d5e12dfdd218b6c10bcb5c8b7d8173a51df54075e

Download Submit
C:\Windows\SysWOW64\registry.exe

Filesize
960KB

MD5
010a873fc31e36275b8389368bf67cb5

SHA1
2e2d9ae0ca913fb61e10ef144b25fa04e75fa09f

SHA256
a99320d32455a56b40bede5fb58311f4db24e6722fa20c832e24c8671b324fd6

SHA512
361ab6f1bea734f4aaab30a08782aed0cded004c16638837877fe906e2c84a739e63282033bb9b10baed4f5d5e12dfdd218b6c10bcb5c8b7d8173a51df54075e

Download Submit
C:\Windows\SysWOW64\registry.exe

Filesize
960KB

MD5
010a873fc31e36275b8389368bf67cb5

SHA1
2e2d9ae0ca913fb61e10ef144b25fa04e75fa09f

SHA256
a99320d32455a56b40bede5fb58311f4db24e6722fa20c832e24c8671b324fd6

SHA512
361ab6f1bea734f4aaab30a08782aed0cded004c16638837877fe906e2c84a739e63282033bb9b10baed4f5d5e12dfdd218b6c10bcb5c8b7d8173a51df54075e

Download Submit
C:\Windows\SysWOW64\registry.exe

Filesize
960KB

MD5
010a873fc31e36275b8389368bf67cb5

SHA1
2e2d9ae0ca913fb61e10ef144b25fa04e75fa09f

SHA256
a99320d32455a56b40bede5fb58311f4db24e6722fa20c832e24c8671b324fd6

SHA512
361ab6f1bea734f4aaab30a08782aed0cded004c16638837877fe906e2c84a739e63282033bb9b10baed4f5d5e12dfdd218b6c10bcb5c8b7d8173a51df54075e

Download Submit
C:\Windows\SysWOW64\registry.exe

Filesize
960KB

MD5
010a873fc31e36275b8389368bf67cb5

SHA1
2e2d9ae0ca913fb61e10ef144b25fa04e75fa09f

SHA256
a99320d32455a56b40bede5fb58311f4db24e6722fa20c832e24c8671b324fd6

SHA512
361ab6f1bea734f4aaab30a08782aed0cded004c16638837877fe906e2c84a739e63282033bb9b10baed4f5d5e12dfdd218b6c10bcb5c8b7d8173a51df54075e

Download Submit
memory/1000-158-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1480-146-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1792-152-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2808-161-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/3680-164-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/4052-137-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/4284-143-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/4316-155-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/4712-140-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/4968-136-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/4968-132-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/4992-149-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download