5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704

Analysis

max time kernel
142s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Size

178KB
MD5

5a771635647f93c7491bd824ad007230
SHA1

5585f67f559d236b37e4a638693d30d166c97abd
SHA256

5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704
SHA512

c64ada4216f789c025adea828351f6b39afe1a46a6209f8775b73605b462beb841e791a9305148bc9d7268fae3996a77a6a596e44ccf675678cb2a9f0bd33fbe
SSDEEP

3072:pz+PxHXJYrdeBxMclE6wFp8osXEw6IIX3I038c+nyEkeIY2TPbum9Nlov6e:pz+pqwBOcu92o38czvPbPQvZ

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\TXP1atform.exe	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
File created	C:\Windows\SysWOW64\drivers\TXP1atform.exe	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe

Executes dropped EXE 2 IoCs

pid	Process
1132	TXP1atform.exe
2844	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1964-132-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral2/files/0x0007000000022e1a-135.dat	upx
behavioral2/files/0x0007000000022e1a-137.dat	upx
behavioral2/memory/1132-138-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral2/memory/1964-139-0x0000000000400000-0x000000000044D000-memory.dmp	upx

Modifies registry class 47 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166F5F55-C747-4AD7-8D85-79E6BE7394B1}\ProgID	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF67874D-356F-4B14-979C-020A01763691}\1.0\HELPDIR	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{844E95E4-4989-4032-8063-48DD4B113D95}\ = "IApplication"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{844E95E4-4989-4032-8063-48DD4B113D95}\TypeLib	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A9CB768C-86A2-479E-A7A2-6D9893F0BC39}	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A9CB768C-86A2-479E-A7A2-6D9893F0BC39}	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.Application\ = "Application Class"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{844E95E4-4989-4032-8063-48DD4B113D95}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166F5F55-C747-4AD7-8D85-79E6BE7394B1}\AppID = "{A9CB768C-86A2-479E-A7A2-6D9893F0BC39}"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF67874D-356F-4B14-979C-020A01763691}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.Application	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166F5F55-C747-4AD7-8D85-79E6BE7394B1}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe\""	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF67874D-356F-4B14-979C-020A01763691}\1.0\ = "launcher 1.0 Type Library"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF67874D-356F-4B14-979C-020A01763691}\1.0\FLAGS\ = "0"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{844E95E4-4989-4032-8063-48DD4B113D95}\ProxyStubClsid32	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{844E95E4-4989-4032-8063-48DD4B113D95}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A9CB768C-86A2-479E-A7A2-6D9893F0BC39}\ = "launcher"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\launcher.EXE	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.Application\CLSID\ = "{166F5F55-C747-4AD7-8D85-79E6BE7394B1}"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF67874D-356F-4B14-979C-020A01763691}\1.0\FLAGS	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF67874D-356F-4B14-979C-020A01763691}\1.0\0\win32	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF67874D-356F-4B14-979C-020A01763691}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{844E95E4-4989-4032-8063-48DD4B113D95}	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{844E95E4-4989-4032-8063-48DD4B113D95}\TypeLib	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.Application.1\CLSID\ = "{166F5F55-C747-4AD7-8D85-79E6BE7394B1}"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.Application\CLSID	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.Application.1\CLSID	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166F5F55-C747-4AD7-8D85-79E6BE7394B1}	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{844E95E4-4989-4032-8063-48DD4B113D95}\ProxyStubClsid32	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{844E95E4-4989-4032-8063-48DD4B113D95}\TypeLib\Version = "1.0"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\launcher.EXE\AppID = "{A9CB768C-86A2-479E-A7A2-6D9893F0BC39}"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.Application.1\ = "Application Class"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF67874D-356F-4B14-979C-020A01763691}	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\launcher.EXE	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166F5F55-C747-4AD7-8D85-79E6BE7394B1}\ProgID\ = "Launcher.Application.1"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166F5F55-C747-4AD7-8D85-79E6BE7394B1}\VersionIndependentProgID	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166F5F55-C747-4AD7-8D85-79E6BE7394B1}\LocalServer32	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF67874D-356F-4B14-979C-020A01763691}\1.0\0	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{844E95E4-4989-4032-8063-48DD4B113D95}\ = "IApplication"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{844E95E4-4989-4032-8063-48DD4B113D95}\TypeLib\ = "{FF67874D-356F-4B14-979C-020A01763691}"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{844E95E4-4989-4032-8063-48DD4B113D95}	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{844E95E4-4989-4032-8063-48DD4B113D95}\TypeLib\Version = "1.0"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.Application.1	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166F5F55-C747-4AD7-8D85-79E6BE7394B1}\ = "Application Class"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{844E95E4-4989-4032-8063-48DD4B113D95}\TypeLib\ = "{FF67874D-356F-4B14-979C-020A01763691}"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166F5F55-C747-4AD7-8D85-79E6BE7394B1}\VersionIndependentProgID\ = "Launcher.Application"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF67874D-356F-4B14-979C-020A01763691}\1.0	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1964	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
1964	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
1132	TXP1atform.exe
1132	TXP1atform.exe
1132	TXP1atform.exe
1132	TXP1atform.exe
1132	TXP1atform.exe
1132	TXP1atform.exe
1132	TXP1atform.exe
1132	TXP1atform.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2584	1964	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe	79
PID 1964 wrote to memory of 2584	1964	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe	79
PID 1964 wrote to memory of 2584	1964	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe	79
PID 1964 wrote to memory of 1132	1964	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe	81
PID 1964 wrote to memory of 1132	1964	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe	81
PID 1964 wrote to memory of 1132	1964	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe	81
PID 2584 wrote to memory of 2844	2584	cmd.exe	82
PID 2584 wrote to memory of 2844	2584	cmd.exe	82
PID 2584 wrote to memory of 2844	2584	cmd.exe	82

C:\Users\Admin\AppData\Local\Temp\5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
"C:\Users\Admin\AppData\Local\Temp\5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\20$$.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Users\Admin\AppData\Local\Temp\5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
    "C:\Users\Admin\AppData\Local\Temp\5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:2844
- C:\Windows\SysWOW64\drivers\TXP1atform.exe
  C:\Windows\system32\drivers\TXP1atform.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1132

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\20$$.bat

Filesize
677B

MD5
aa96f54cd180cce83794294fea661573

SHA1
cb6295f10693d4e590ff4455159e17c4950edf67

SHA256
aa1a768f5ff50bdd6fd44b739030f3bdfb1c229a7de555fd277dd6dc211fd401

SHA512
6d1b35b0355c335a377a52e9864019f82c7fd9b6a9bb84117802a7850226c1b04c685a89ccb005585bd5f9065b5a746d249e2126c49bcb12e38ba59e4e19b273

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe

Filesize
100KB

MD5
fb76d62d5357377b720264a80134c93d

SHA1
0b00534dcfd362ddfa10aea84b40b79e91747cd2

SHA256
af8484659848fc7989a2fba89a10dc00ac485905545a081941c56a1f397b0b5e

SHA512
1a840a4c9eae9e49a5b17b958a89d717845ebebe2fa34203042f52bc867c309b95a29553a65df70ec1b215821e0059de660f4d5b980752df9c61164d11b1c66e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe.exe

Filesize
100KB

MD5
fb76d62d5357377b720264a80134c93d

SHA1
0b00534dcfd362ddfa10aea84b40b79e91747cd2

SHA256
af8484659848fc7989a2fba89a10dc00ac485905545a081941c56a1f397b0b5e

SHA512
1a840a4c9eae9e49a5b17b958a89d717845ebebe2fa34203042f52bc867c309b95a29553a65df70ec1b215821e0059de660f4d5b980752df9c61164d11b1c66e

Download Submit
C:\Windows\SysWOW64\drivers\TXP1atform.exe

Filesize
78KB

MD5
dcac87c3ec93f39f5a0235a02a49f0d9

SHA1
957d14aba802bd93578b7a8c96035b8e01eb623f

SHA256
56facab9390d510f93d1654c6fda85a205d3b8f02691bb3829fdf5129638633f

SHA512
ca958849f7ae215b76837fbb4fffe84562a4212283af53aa04e138cd374280af6ce1d10b5b91c507fc87026ff56e8b27a1af7bf0cd8635c87ad1dff349ca00fb

Download Submit
C:\Windows\SysWOW64\drivers\TXP1atform.exe

Filesize
78KB

MD5
dcac87c3ec93f39f5a0235a02a49f0d9

SHA1
957d14aba802bd93578b7a8c96035b8e01eb623f

SHA256
56facab9390d510f93d1654c6fda85a205d3b8f02691bb3829fdf5129638633f

SHA512
ca958849f7ae215b76837fbb4fffe84562a4212283af53aa04e138cd374280af6ce1d10b5b91c507fc87026ff56e8b27a1af7bf0cd8635c87ad1dff349ca00fb

Download Submit
memory/1132-138-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1964-132-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1964-139-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download