e21476b5bb8edfa99fb2f1b0f23415ea5fe310788fcac594b524483967a38cea

Analysis

max time kernel
162s
max time network
205s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e21476b5bb8edfa99fb2f1b0f23415ea5fe310788fcac594b524483967a38cea.exe
Size

609KB
MD5

367943e472d38623f58054f83def4070
SHA1

72f9f602904fa5d4f8466946cd82138c865e9b35
SHA256

e21476b5bb8edfa99fb2f1b0f23415ea5fe310788fcac594b524483967a38cea
SHA512

9402ccb38fd360c3684226013ad0c25e2f54d84e50381b2b9cb52ce52ee8f7cfb9fba0be3a3f745172e7696d75df054494bd0549fe7baf49f83afcc4468f2cfd
SSDEEP

12288:Xyx5HXiZkNdgHfLCCrZZN+Ya8gFEPix+JvkhuzSQ0iJfx6Fk:XwS2SfLlrZZN+/SPY+JvkhuzSQ0ofWk

Score

8^/10

persistence upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/828-54-0x0000000000400000-0x00000000004D8000-memory.dmp	upx
behavioral1/memory/828-58-0x0000000000400000-0x00000000004D8000-memory.dmp	upx
behavioral1/memory/828-59-0x0000000000400000-0x00000000004D8000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e21476b5bb8edfa99fb2f1b0f23415ea5fe310788fcac594b524483967a38cea.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\AS2014 = "C:\\ProgramData\\iRalsadd\\iRalsadd.exe"	e21476b5bb8edfa99fb2f1b0f23415ea5fe310788fcac594b524483967a38cea.exe

C:\Users\Admin\AppData\Local\Temp\e21476b5bb8edfa99fb2f1b0f23415ea5fe310788fcac594b524483967a38cea.exe
"C:\Users\Admin\AppData\Local\Temp\e21476b5bb8edfa99fb2f1b0f23415ea5fe310788fcac594b524483967a38cea.exe"
1⤵
- Adds Run key to start application
PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/828-54-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/828-56-0x0000000075781000-0x0000000075783000-memory.dmp

Filesize
8KB

Download
memory/828-57-0x00000000004E0000-0x00000000005B8000-memory.dmp

Filesize
864KB

Download
memory/828-58-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/828-59-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download