942d540276b90f68721360fe58a51f453684b1b3409975e424c76dcf02a416ee

Analysis

max time kernel
190s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2022, 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

942d540276b90f68721360fe58a51f453684b1b3409975e424c76dcf02a416ee.exe
Size

21KB
MD5

37c0d8c1fd04770e2f2f92290bb14c1f
SHA1

8f2cbf96408b8ba466c9bbe2ca98f5b04bd31163
SHA256

942d540276b90f68721360fe58a51f453684b1b3409975e424c76dcf02a416ee
SHA512

4dfd47c559466166afd9c9159e44ba2f7a86495ab28c1cb6145bcd71c172a92df2a1298dd5aa5790a0cbd1ee1b97b713ea0d97eb7a283429f453ef3b01517966
SSDEEP

384:vcvdokFnsISYWAzPQuLdrSUiFnPDyjsTKy7lgi2PvtmV4J//C9eB/:qDFnEYWFIrS7PDDKy7H2PvtmiJyi

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4528-132-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4528-133-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4528-134-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	942d540276b90f68721360fe58a51f453684b1b3409975e424c76dcf02a416ee.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4528	942d540276b90f68721360fe58a51f453684b1b3409975e424c76dcf02a416ee.exe
4528	942d540276b90f68721360fe58a51f453684b1b3409975e424c76dcf02a416ee.exe
4528	942d540276b90f68721360fe58a51f453684b1b3409975e424c76dcf02a416ee.exe
4528	942d540276b90f68721360fe58a51f453684b1b3409975e424c76dcf02a416ee.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4528	942d540276b90f68721360fe58a51f453684b1b3409975e424c76dcf02a416ee.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4528	942d540276b90f68721360fe58a51f453684b1b3409975e424c76dcf02a416ee.exe

C:\Users\Admin\AppData\Local\Temp\942d540276b90f68721360fe58a51f453684b1b3409975e424c76dcf02a416ee.exe
"C:\Users\Admin\AppData\Local\Temp\942d540276b90f68721360fe58a51f453684b1b3409975e424c76dcf02a416ee.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
PID:4528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4528-132-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4528-133-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4528-134-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download