fe2d58fca1492015bffa7830afed31400a16f8d1eacb906fa62d8a4821a86ba3

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe2d58fca1492015bffa7830afed31400a16f8d1eacb906fa62d8a4821a86ba3.exe
Size

519KB
MD5

a20d5b8f19b11cd7d6861a91c377c643
SHA1

4115355d6b43d82d48967742df6fde045677bcc3
SHA256

fe2d58fca1492015bffa7830afed31400a16f8d1eacb906fa62d8a4821a86ba3
SHA512

a96611ebc2ab9ada8aa31ed1102a1dd8f0c8756532a67691782146f8736d7e5b841dd1e5c795bbb052511782311df21c385124c6744aa4ef34ad16558699b4cf
SSDEEP

12288:vMadZY1uVz5QLV1XiPsw06iEE6uWbj0C4zmMpay:vMaQsReuu6RE63b2N0y

Score

8^/10

persistence upx

Malware Config

Signatures

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4772-133-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/4772-134-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/4772-135-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/4772-136-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/4772-137-0x0000000000400000-0x00000000004C8000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fe2d58fca1492015bffa7830afed31400a16f8d1eacb906fa62d8a4821a86ba3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AS2014 = "C:\\ProgramData\\sRVaWXil\\sRVaWXil.exe"	fe2d58fca1492015bffa7830afed31400a16f8d1eacb906fa62d8a4821a86ba3.exe

Checks SCSI registry key(s) 3 TTPs 2 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

fe2d58fca1492015bffa7830afed31400a16f8d1eacb906fa62d8a4821a86ba3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	fe2d58fca1492015bffa7830afed31400a16f8d1eacb906fa62d8a4821a86ba3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	fe2d58fca1492015bffa7830afed31400a16f8d1eacb906fa62d8a4821a86ba3.exe

C:\Users\Admin\AppData\Local\Temp\fe2d58fca1492015bffa7830afed31400a16f8d1eacb906fa62d8a4821a86ba3.exe
"C:\Users\Admin\AppData\Local\Temp\fe2d58fca1492015bffa7830afed31400a16f8d1eacb906fa62d8a4821a86ba3.exe"
1⤵
- Adds Run key to start application
- Checks SCSI registry key(s)
PID:4772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4772-132-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/4772-133-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/4772-134-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/4772-135-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/4772-136-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/4772-137-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download