395a11bcb5e043875ce1370619a37a27102e69f3279f6ba3ae585644350ab50e

Analysis

max time kernel
139s
max time network
157s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Label_LU.exe
Size

119KB
MD5

1337dd75f7a43ae8cbb00727b5576baf
SHA1

d26698bee1292cfe0bd0acd9c9c66d64f02e0486
SHA256

031540bc74e2d04f4165fd63a2e72f112a1deca2896308637ccbfd50f08523a0
SHA512

d86500dacd9f82dbdf82f874728fd08d3d9359f943177ed044f2592b7fd133c1247bdb8fce94777c3e84e44ae6eb4652067ad91d2c9c8ecc8eb4e425e0d8d12f
SSDEEP

3072:MyPWFq7RlwGL/5CSmk5pb6nVyh/dy7a5wgHmc:Sq7R6GL/5CSmk5Yoh/egHx

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ncbsbxwm = "\"C:\\Users\\Admin\\AppData\\Local\\erqphsqm.exe\""	svchost.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Label_LU.exe

pid process

1788 Label_LU.exe
1788 Label_LU.exe

pid	process
1788	Label_LU.exe
1788	Label_LU.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Label_LU.exe

description	pid	process	target process
PID 1788 wrote to memory of 1880	1788	Label_LU.exe	svchost.exe
PID 1788 wrote to memory of 1880	1788	Label_LU.exe	svchost.exe
PID 1788 wrote to memory of 1880	1788	Label_LU.exe	svchost.exe
PID 1788 wrote to memory of 1880	1788	Label_LU.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\Label_LU.exe
"C:\Users\Admin\AppData\Local\Temp\Label_LU.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Adds Run key to start application
PID:1880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1788-54-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download
memory/1880-56-0x0000000000000000-mapping.dmp

Download
memory/1880-57-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1880-58-0x0000000000700000-0x0000000000708000-memory.dmp

Filesize
32KB

Download
memory/1880-59-0x0000000000080000-0x0000000000091000-memory.dmp

Filesize
68KB

Download
memory/1880-60-0x00000000003F0000-0x0000000000470000-memory.dmp

Filesize
512KB

Download