d002caa2b4930ba9940ed0a54c7fecef6e164b5ed0795b869ad61436b344998c

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 09:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d002caa2b4930ba9940ed0a54c7fecef6e164b5ed0795b869ad61436b344998c.exe
Size

209KB
MD5

e7bd9c7f181a752f5d084edb1c10f95a
SHA1

a77cd0369998db6dc835706a0f615fe5f5224896
SHA256

d002caa2b4930ba9940ed0a54c7fecef6e164b5ed0795b869ad61436b344998c
SHA512

55bcba3111df0b71813861c7977e0705168c2ab00c51907bf8448a93196898950b92d36d53e7a822189e10426422ebf30af162019e62fae3ed654d61d1caa405
SSDEEP

3072:CL75dw7dh1ioeYJKB41u1v/en8NerNzaDWlRPsQ5yHL0ByyZ07TJct8En314FrsN:CLNB4K+n8NexIWlBDSyOPEl9hbJMNQ

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{243A6F3F-D8C0-4EED-8735-105A14AA56A0}	d002caa2b4930ba9940ed0a54c7fecef6e164b5ed0795b869ad61436b344998c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{243A6F3F-D8C0-4EED-8735-105A14AA56A0}\StubPath = "C:\\Windows\\system32\\svchost.exe"	d002caa2b4930ba9940ed0a54c7fecef6e164b5ed0795b869ad61436b344998c.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/852-55-0x0000000013140000-0x00000000131D4000-memory.dmp	upx
behavioral1/memory/852-56-0x0000000013140000-0x00000000131D4000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svchost.exe	d002caa2b4930ba9940ed0a54c7fecef6e164b5ed0795b869ad61436b344998c.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
852	d002caa2b4930ba9940ed0a54c7fecef6e164b5ed0795b869ad61436b344998c.exe

C:\Users\Admin\AppData\Local\Temp\d002caa2b4930ba9940ed0a54c7fecef6e164b5ed0795b869ad61436b344998c.exe
"C:\Users\Admin\AppData\Local\Temp\d002caa2b4930ba9940ed0a54c7fecef6e164b5ed0795b869ad61436b344998c.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/852-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/852-55-0x0000000013140000-0x00000000131D4000-memory.dmp

Filesize
592KB

Download
memory/852-56-0x0000000013140000-0x00000000131D4000-memory.dmp

Filesize
592KB

Download