f7454ef0023faf9ac319ef95c0dc99e84060db7bca2ec3778769d45ef8ea3ed9

Analysis

max time kernel
149s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7454ef0023faf9ac319ef95c0dc99e84060db7bca2ec3778769d45ef8ea3ed9.exe
Size

723KB
MD5

3184d45c1bb061f8c1d1aa33b1589af1
SHA1

e89858a93ad1e4553b9759a621d051a16385a848
SHA256

f7454ef0023faf9ac319ef95c0dc99e84060db7bca2ec3778769d45ef8ea3ed9
SHA512

415280e60b60f36f0c5d50d9b79e22f04bb91bfa265abea86fc73f01e5f5e4fba5a5325b401c236bcda00a6c2c4d79b85669c48659adffe757f49e67029366e8
SSDEEP

12288:h8INhSGjMnZdUZRAawpgBSthNw5x9uG/fMvQTQgNSQAR:OZGYZdwzcHtLwX9ugfMvQUgQb

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

saavpmifat.pre

pid process

4000 saavpmifat.pre

pid	process
4000	saavpmifat.pre

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3144-133-0x0000000000290000-0x0000000000524000-memory.dmp	upx
behavioral2/memory/3144-135-0x0000000000290000-0x0000000000524000-memory.dmp	upx
behavioral2/memory/4000-141-0x0000000000A30000-0x0000000000CC4000-memory.dmp	upx
behavioral2/memory/4000-144-0x0000000000A30000-0x0000000000CC4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jkealoja = "C:\\Users\\Admin\\AppData\\Local\\Fxsm\\dshgloja.exe"	dllhost.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

f7454ef0023faf9ac319ef95c0dc99e84060db7bca2ec3778769d45ef8ea3ed9.exedllhost.exesaavpmifat.pre

description	pid	process	target process
PID 3144 wrote to memory of 3128	3144	f7454ef0023faf9ac319ef95c0dc99e84060db7bca2ec3778769d45ef8ea3ed9.exe	dllhost.exe
PID 3144 wrote to memory of 3128	3144	f7454ef0023faf9ac319ef95c0dc99e84060db7bca2ec3778769d45ef8ea3ed9.exe	dllhost.exe
PID 3144 wrote to memory of 3128	3144	f7454ef0023faf9ac319ef95c0dc99e84060db7bca2ec3778769d45ef8ea3ed9.exe	dllhost.exe
PID 3144 wrote to memory of 3128	3144	f7454ef0023faf9ac319ef95c0dc99e84060db7bca2ec3778769d45ef8ea3ed9.exe	dllhost.exe
PID 3128 wrote to memory of 4000	3128	dllhost.exe	saavpmifat.pre
PID 3128 wrote to memory of 4000	3128	dllhost.exe	saavpmifat.pre
PID 3128 wrote to memory of 4000	3128	dllhost.exe	saavpmifat.pre
PID 4000 wrote to memory of 4508	4000	saavpmifat.pre	dllhost.exe
PID 4000 wrote to memory of 4508	4000	saavpmifat.pre	dllhost.exe
PID 4000 wrote to memory of 4508	4000	saavpmifat.pre	dllhost.exe
PID 4000 wrote to memory of 4508	4000	saavpmifat.pre	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\f7454ef0023faf9ac319ef95c0dc99e84060db7bca2ec3778769d45ef8ea3ed9.exe
"C:\Users\Admin\AppData\Local\Temp\f7454ef0023faf9ac319ef95c0dc99e84060db7bca2ec3778769d45ef8ea3ed9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3144

C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3128

C:\Users\Admin\AppData\Local\Temp\saavpmifat.pre
C:\Users\Admin\AppData\Local\Temp\saavpmifat.pre
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
4⤵
- Adds Run key to start application
PID:4508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\saavpmifat.pre

Filesize
723KB

MD5
3184d45c1bb061f8c1d1aa33b1589af1

SHA1
e89858a93ad1e4553b9759a621d051a16385a848

SHA256
f7454ef0023faf9ac319ef95c0dc99e84060db7bca2ec3778769d45ef8ea3ed9

SHA512
415280e60b60f36f0c5d50d9b79e22f04bb91bfa265abea86fc73f01e5f5e4fba5a5325b401c236bcda00a6c2c4d79b85669c48659adffe757f49e67029366e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\saavpmifat.pre

Filesize
723KB

MD5
3184d45c1bb061f8c1d1aa33b1589af1

SHA1
e89858a93ad1e4553b9759a621d051a16385a848

SHA256
f7454ef0023faf9ac319ef95c0dc99e84060db7bca2ec3778769d45ef8ea3ed9

SHA512
415280e60b60f36f0c5d50d9b79e22f04bb91bfa265abea86fc73f01e5f5e4fba5a5325b401c236bcda00a6c2c4d79b85669c48659adffe757f49e67029366e8

Download Submit
memory/3128-136-0x0000000000000000-mapping.dmp

Download
memory/3128-137-0x000000007F700000-0x000000007F710000-memory.dmp

Filesize
64KB

Download
memory/3144-132-0x00000000028F0000-0x00000000028F5000-memory.dmp

Filesize
20KB

Download
memory/3144-135-0x0000000000290000-0x0000000000524000-memory.dmp

Filesize
2.6MB

Download
memory/3144-133-0x0000000000290000-0x0000000000524000-memory.dmp

Filesize
2.6MB

Download
memory/4000-138-0x0000000000000000-mapping.dmp

Download
memory/4000-141-0x0000000000A30000-0x0000000000CC4000-memory.dmp

Filesize
2.6MB

Download
memory/4000-143-0x0000000002A20000-0x0000000002A25000-memory.dmp

Filesize
20KB

Download
memory/4000-144-0x0000000000A30000-0x0000000000CC4000-memory.dmp

Filesize
2.6MB

Download
memory/4508-145-0x0000000000000000-mapping.dmp

Download
memory/4508-146-0x000000007F490000-0x000000007F4A0000-memory.dmp

Filesize
64KB

Download
memory/4508-147-0x000000007F490000-0x000000007F4A0000-memory.dmp

Filesize
64KB

Download