f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88

Analysis

max time kernel
153s
max time network
166s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe
Size

1.7MB
MD5

d342545cee7a75b36e22a51c6014f24b
SHA1

1ff4c3d122e800c5bcdd5f5d28b8028f7d5ec565
SHA256

f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88
SHA512

a70af35f0192c79a41f171f80f00f0d2895a8d560ab81db92c56562638592e600a4f9f71d8b778b5d3c2611de22e86dc1befe99e8de7e9da9ff46e249fcfffed
SSDEEP

49152:KGCZVJhdKsafhKtGqKIBwiCd99q5sTU83lMq:KGoVQsafUGimU5sTU/q

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1304-73-0x0000000000400000-0x00000000006B3000-memory.dmp	upx
behavioral1/memory/1304-75-0x0000000000400000-0x00000000006B3000-memory.dmp	upx
behavioral1/memory/1304-76-0x0000000000400000-0x00000000006B3000-memory.dmp	upx
behavioral1/memory/1304-80-0x0000000000400000-0x00000000006B3000-memory.dmp	upx
behavioral1/memory/1304-100-0x0000000000400000-0x00000000006B3000-memory.dmp	upx
behavioral1/memory/1304-107-0x0000000000400000-0x00000000006B3000-memory.dmp	upx
behavioral1/memory/1304-110-0x0000000000400000-0x00000000006B3000-memory.dmp	upx
behavioral1/memory/1304-112-0x0000000000400000-0x00000000006B3000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	checkip.dyndns.org

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1448 set thread context of 1888	1448	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	28
PID 1888 set thread context of 1304	1888	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	29
PID 1888 set thread context of 1760	1888	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	30
PID 1888 set thread context of 1496	1888	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	32

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1304	svchost.exe
1304	svchost.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 1888	1448	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	28
PID 1448 wrote to memory of 1888	1448	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	28
PID 1448 wrote to memory of 1888	1448	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	28
PID 1448 wrote to memory of 1888	1448	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	28
PID 1448 wrote to memory of 1888	1448	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	28
PID 1448 wrote to memory of 1888	1448	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	28
PID 1448 wrote to memory of 1888	1448	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	28
PID 1448 wrote to memory of 1888	1448	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	28
PID 1448 wrote to memory of 1888	1448	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	28
PID 1448 wrote to memory of 1888	1448	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	28
PID 1448 wrote to memory of 1888	1448	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	28
PID 1888 wrote to memory of 1304	1888	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	29
PID 1888 wrote to memory of 1304	1888	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	29
PID 1888 wrote to memory of 1304	1888	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	29
PID 1888 wrote to memory of 1304	1888	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	29
PID 1888 wrote to memory of 1304	1888	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	29
PID 1888 wrote to memory of 1304	1888	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	29
PID 1888 wrote to memory of 1304	1888	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	29
PID 1888 wrote to memory of 1304	1888	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	29
PID 1888 wrote to memory of 1760	1888	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	30
PID 1888 wrote to memory of 1760	1888	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	30
PID 1888 wrote to memory of 1760	1888	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	30
PID 1888 wrote to memory of 1760	1888	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	30
PID 1888 wrote to memory of 1760	1888	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	30
PID 1888 wrote to memory of 1760	1888	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	30
PID 1888 wrote to memory of 1760	1888	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	30
PID 1888 wrote to memory of 1760	1888	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	30
PID 1888 wrote to memory of 1760	1888	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	30
PID 1888 wrote to memory of 1760	1888	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	30
PID 1888 wrote to memory of 1496	1888	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	32
PID 1888 wrote to memory of 1496	1888	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	32
PID 1888 wrote to memory of 1496	1888	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	32
PID 1888 wrote to memory of 1496	1888	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	32
PID 1888 wrote to memory of 1496	1888	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	32
PID 1888 wrote to memory of 1496	1888	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	32
PID 1888 wrote to memory of 1496	1888	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	32
PID 1888 wrote to memory of 1496	1888	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	32
PID 1888 wrote to memory of 1496	1888	f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe	32

C:\Users\Admin\AppData\Local\Temp\f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe
"C:\Users\Admin\AppData\Local\Temp\f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\AppData\Local\Temp\f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe
  C:\Users\Admin\AppData\Local\Temp\f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe --HiddenServiceDir "C:\Users\Admin\AppData\Roaming\tor\hidden_service" --HiddenServicePort "55080 127.0.0.1:55080"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1304
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe (null)
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe ext "C:\Users\Admin\AppData\Local\Temp\f974de8f3c4c363112d61baffdf72e34911458b999b3994b5713ed0c3a1bec88.exe"
    3⤵
    PID:1496

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1304-100-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/1304-75-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/1304-77-0x00000000006B0800-mapping.dmp

Download
memory/1304-76-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/1304-107-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/1304-112-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/1304-73-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/1304-72-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/1304-110-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/1304-80-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/1448-54-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download
memory/1496-102-0x00000000004164A1-mapping.dmp

Download
memory/1496-96-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1496-101-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1496-106-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1496-108-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1496-93-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1496-92-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1496-97-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1760-85-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1760-83-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1760-87-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1760-89-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1760-79-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1760-78-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1760-90-0x0000000000407CBE-mapping.dmp

Download
memory/1760-111-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1760-109-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1760-98-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1888-66-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/1888-67-0x0000000000402B67-mapping.dmp

Download
memory/1888-104-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/1888-64-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/1888-62-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/1888-60-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/1888-58-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/1888-70-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/1888-56-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/1888-71-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/1888-55-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download