809f5007e7e771dbb791d08e166770b17c2de15908b300ef1a241ac9f23215d3

Analysis

max time kernel
167s
max time network
173s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21/11/2022, 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

809f5007e7e771dbb791d08e166770b17c2de15908b300ef1a241ac9f23215d3.exe
Size

269KB
MD5

076a6e93f37e0fc136e282d46bbe2801
SHA1

8bc5d88456293e305215afd6c36244a901293e50
SHA256

809f5007e7e771dbb791d08e166770b17c2de15908b300ef1a241ac9f23215d3
SHA512

dcea2bcc71be8c5e943003a14b9e259287695b656d04734a02bcbc2fdf7a499abba780e217c77f957cae3ad238097cc02d715d83e1efeec8bc0f4b88201507c5
SSDEEP

6144:gLrA7C3WTj43klok5R6QxKP9UDCxe4ZtYE6dxIQoWV:gfKqWwklok58FegtV6Z7V

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
964	pipa.exe

Deletes itself 1 IoCs

pid	Process
1348	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
368	809f5007e7e771dbb791d08e166770b17c2de15908b300ef1a241ac9f23215d3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	pipa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pipa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Yhutm\\pipa.exe"	pipa.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 368 set thread context of 1348	368	809f5007e7e771dbb791d08e166770b17c2de15908b300ef1a241ac9f23215d3.exe	28

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
368	809f5007e7e771dbb791d08e166770b17c2de15908b300ef1a241ac9f23215d3.exe
964	pipa.exe
964	pipa.exe
964	pipa.exe
964	pipa.exe
964	pipa.exe
964	pipa.exe
964	pipa.exe
964	pipa.exe
964	pipa.exe
964	pipa.exe
964	pipa.exe
964	pipa.exe
964	pipa.exe
964	pipa.exe
964	pipa.exe
964	pipa.exe
964	pipa.exe
964	pipa.exe
964	pipa.exe
964	pipa.exe
964	pipa.exe
964	pipa.exe
964	pipa.exe
964	pipa.exe
964	pipa.exe
964	pipa.exe
964	pipa.exe
964	pipa.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 964	368	809f5007e7e771dbb791d08e166770b17c2de15908b300ef1a241ac9f23215d3.exe	27
PID 368 wrote to memory of 964	368	809f5007e7e771dbb791d08e166770b17c2de15908b300ef1a241ac9f23215d3.exe	27
PID 368 wrote to memory of 964	368	809f5007e7e771dbb791d08e166770b17c2de15908b300ef1a241ac9f23215d3.exe	27
PID 368 wrote to memory of 964	368	809f5007e7e771dbb791d08e166770b17c2de15908b300ef1a241ac9f23215d3.exe	27
PID 964 wrote to memory of 1116	964	pipa.exe	18
PID 964 wrote to memory of 1116	964	pipa.exe	18
PID 964 wrote to memory of 1116	964	pipa.exe	18
PID 964 wrote to memory of 1116	964	pipa.exe	18
PID 964 wrote to memory of 1116	964	pipa.exe	18
PID 964 wrote to memory of 1176	964	pipa.exe	17
PID 964 wrote to memory of 1176	964	pipa.exe	17
PID 964 wrote to memory of 1176	964	pipa.exe	17
PID 964 wrote to memory of 1176	964	pipa.exe	17
PID 964 wrote to memory of 1176	964	pipa.exe	17
PID 964 wrote to memory of 1244	964	pipa.exe	15
PID 964 wrote to memory of 1244	964	pipa.exe	15
PID 964 wrote to memory of 1244	964	pipa.exe	15
PID 964 wrote to memory of 1244	964	pipa.exe	15
PID 964 wrote to memory of 1244	964	pipa.exe	15
PID 964 wrote to memory of 368	964	pipa.exe	16
PID 964 wrote to memory of 368	964	pipa.exe	16
PID 964 wrote to memory of 368	964	pipa.exe	16
PID 964 wrote to memory of 368	964	pipa.exe	16
PID 964 wrote to memory of 368	964	pipa.exe	16
PID 368 wrote to memory of 1348	368	809f5007e7e771dbb791d08e166770b17c2de15908b300ef1a241ac9f23215d3.exe	28
PID 368 wrote to memory of 1348	368	809f5007e7e771dbb791d08e166770b17c2de15908b300ef1a241ac9f23215d3.exe	28
PID 368 wrote to memory of 1348	368	809f5007e7e771dbb791d08e166770b17c2de15908b300ef1a241ac9f23215d3.exe	28
PID 368 wrote to memory of 1348	368	809f5007e7e771dbb791d08e166770b17c2de15908b300ef1a241ac9f23215d3.exe	28
PID 368 wrote to memory of 1348	368	809f5007e7e771dbb791d08e166770b17c2de15908b300ef1a241ac9f23215d3.exe	28
PID 368 wrote to memory of 1348	368	809f5007e7e771dbb791d08e166770b17c2de15908b300ef1a241ac9f23215d3.exe	28
PID 368 wrote to memory of 1348	368	809f5007e7e771dbb791d08e166770b17c2de15908b300ef1a241ac9f23215d3.exe	28
PID 368 wrote to memory of 1348	368	809f5007e7e771dbb791d08e166770b17c2de15908b300ef1a241ac9f23215d3.exe	28
PID 368 wrote to memory of 1348	368	809f5007e7e771dbb791d08e166770b17c2de15908b300ef1a241ac9f23215d3.exe	28

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244
- C:\Users\Admin\AppData\Local\Temp\809f5007e7e771dbb791d08e166770b17c2de15908b300ef1a241ac9f23215d3.exe
  "C:\Users\Admin\AppData\Local\Temp\809f5007e7e771dbb791d08e166770b17c2de15908b300ef1a241ac9f23215d3.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:368
- - C:\Users\Admin\AppData\Local\Temp\Yhutm\pipa.exe
    "C:\Users\Admin\AppData\Local\Temp\Yhutm\pipa.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:964
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MNUD50E.bat"
    3⤵
    - Deletes itself
    PID:1348

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MNUD50E.bat

Filesize
280B

MD5
c2e171fc611b92637af12fa1725e3a7f

SHA1
f4134455bd42f8b8a6cc0aedd7ed52cd25d789ab

SHA256
1723b792cdefacc889fa261d2f76f2472f86c97db13cc6db36d09befc03d7752

SHA512
919ba4d41548b3bae93b30ac538a1394cb4e356cbf3c8dc8381df410154e2274ab522c135eb232bf0944c59234313e659985db5b4612f75d17910c5a1026361e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yhutm\pipa.exe

Filesize
269KB

MD5
c396b4af66bd13442a304ee44a95ca38

SHA1
676379d4a2205df4d8c8e75ada31bd1a31e07837

SHA256
b36bd382462e64d57109824551617b77d54206f511497f98f5b82515ba7a34a8

SHA512
71a2b674f012230c6449e62e3b11437135871351659709b074083903c9bc86c1806ac497308e5c15fb1d0abcc028cbbfed8f9016218c5597cbfd31fb08f00241

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yhutm\pipa.exe

Filesize
269KB

MD5
c396b4af66bd13442a304ee44a95ca38

SHA1
676379d4a2205df4d8c8e75ada31bd1a31e07837

SHA256
b36bd382462e64d57109824551617b77d54206f511497f98f5b82515ba7a34a8

SHA512
71a2b674f012230c6449e62e3b11437135871351659709b074083903c9bc86c1806ac497308e5c15fb1d0abcc028cbbfed8f9016218c5597cbfd31fb08f00241

Download Submit
\Users\Admin\AppData\Local\Temp\Yhutm\pipa.exe

Filesize
269KB

MD5
c396b4af66bd13442a304ee44a95ca38

SHA1
676379d4a2205df4d8c8e75ada31bd1a31e07837

SHA256
b36bd382462e64d57109824551617b77d54206f511497f98f5b82515ba7a34a8

SHA512
71a2b674f012230c6449e62e3b11437135871351659709b074083903c9bc86c1806ac497308e5c15fb1d0abcc028cbbfed8f9016218c5597cbfd31fb08f00241

Download Submit
memory/368-95-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/368-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/368-88-0x00000000000A0000-0x00000000000E2000-memory.dmp

Filesize
264KB

Download
memory/368-57-0x00000000001D0000-0x00000000001E9000-memory.dmp

Filesize
100KB

Download
memory/368-56-0x0000000000301000-0x0000000000304000-memory.dmp

Filesize
12KB

Download
memory/368-90-0x00000000000A0000-0x00000000000E2000-memory.dmp

Filesize
264KB

Download
memory/368-91-0x00000000000A0000-0x00000000000E2000-memory.dmp

Filesize
264KB

Download
memory/368-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/368-54-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download
memory/368-55-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/368-107-0x00000000000A0000-0x00000000000E2000-memory.dmp

Filesize
264KB

Download
memory/368-106-0x0000000000301000-0x0000000000304000-memory.dmp

Filesize
12KB

Download
memory/368-97-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/368-96-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/368-89-0x00000000000A0000-0x00000000000E2000-memory.dmp

Filesize
264KB

Download
memory/368-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/368-58-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/964-118-0x0000000000240000-0x0000000000259000-memory.dmp

Filesize
100KB

Download
memory/964-67-0x0000000000240000-0x0000000000259000-memory.dmp

Filesize
100KB

Download
memory/964-66-0x00000000006C1000-0x00000000006C4000-memory.dmp

Filesize
12KB

Download
memory/1116-70-0x0000000001CA0000-0x0000000001CE2000-memory.dmp

Filesize
264KB

Download
memory/1116-72-0x0000000001CA0000-0x0000000001CE2000-memory.dmp

Filesize
264KB

Download
memory/1116-68-0x0000000001CA0000-0x0000000001CE2000-memory.dmp

Filesize
264KB

Download
memory/1116-71-0x0000000001CA0000-0x0000000001CE2000-memory.dmp

Filesize
264KB

Download
memory/1116-73-0x0000000001CA0000-0x0000000001CE2000-memory.dmp

Filesize
264KB

Download
memory/1176-77-0x0000000001AC0000-0x0000000001B02000-memory.dmp

Filesize
264KB

Download
memory/1176-79-0x0000000001AC0000-0x0000000001B02000-memory.dmp

Filesize
264KB

Download
memory/1176-76-0x0000000001AC0000-0x0000000001B02000-memory.dmp

Filesize
264KB

Download
memory/1176-78-0x0000000001AC0000-0x0000000001B02000-memory.dmp

Filesize
264KB

Download
memory/1244-85-0x00000000025A0000-0x00000000025E2000-memory.dmp

Filesize
264KB

Download
memory/1244-84-0x00000000025A0000-0x00000000025E2000-memory.dmp

Filesize
264KB

Download
memory/1244-83-0x00000000025A0000-0x00000000025E2000-memory.dmp

Filesize
264KB

Download
memory/1244-82-0x00000000025A0000-0x00000000025E2000-memory.dmp

Filesize
264KB

Download
memory/1348-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1348-104-0x00000000000D0000-0x0000000000112000-memory.dmp

Filesize
264KB

Download
memory/1348-103-0x00000000000D0000-0x0000000000112000-memory.dmp

Filesize
264KB

Download
memory/1348-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1348-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1348-112-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1348-113-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1348-114-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1348-115-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1348-102-0x00000000000D0000-0x0000000000112000-memory.dmp

Filesize
264KB

Download
memory/1348-117-0x00000000000D0000-0x0000000000112000-memory.dmp

Filesize
264KB

Download
memory/1348-100-0x00000000000D0000-0x0000000000112000-memory.dmp

Filesize
264KB

Download