b894b22158865089fd992565ef9e85b9cc3fa141bcc730f3d80a7060075e3e5d

General

Target

b894b22158865089fd992565ef9e85b9cc3fa141bcc730f3d80a7060075e3e5d.exe
Size

66KB
MD5

dbfe4eebed7a16283fdeb8c31919ec54
SHA1

e946913e39b51e92bca060725343f5dd7df560f8
SHA256

b894b22158865089fd992565ef9e85b9cc3fa141bcc730f3d80a7060075e3e5d
SHA512

46fd1e055ef7d0ad0059a3b102eb59049174496ed89e936b82122f0999153ac2e770809e4ba6a8421ca45111c0c963cf41000bb1c1e2064ed1c43862841875c4
SSDEEP

1536:kbEt26/jLp82dpNikzPQuHuLKxUiRKNCri+EdjyEW7:jT/5PN/i3tQrHEhyEW7

Score

8^/10

persistence upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1292-57-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/1292-60-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/1292-62-0x0000000010000000-0x000000001004D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	b894b22158865089fd992565ef9e85b9cc3fa141bcc730f3d80a7060075e3e5d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\b894b22158865089fd992565ef9e85b9cc3fa141bcc730f3d80a7060075e3e5d = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b894b22158865089fd992565ef9e85b9cc3fa141bcc730f3d80a7060075e3e5d.exe"	b894b22158865089fd992565ef9e85b9cc3fa141bcc730f3d80a7060075e3e5d.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1632 set thread context of 1292	1632	b894b22158865089fd992565ef9e85b9cc3fa141bcc730f3d80a7060075e3e5d.exe	28

Runs .reg file with regedit 1 IoCs

pid	Process
1488	regedit.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1632	b894b22158865089fd992565ef9e85b9cc3fa141bcc730f3d80a7060075e3e5d.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1632	b894b22158865089fd992565ef9e85b9cc3fa141bcc730f3d80a7060075e3e5d.exe
1632	b894b22158865089fd992565ef9e85b9cc3fa141bcc730f3d80a7060075e3e5d.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 1488	1632	b894b22158865089fd992565ef9e85b9cc3fa141bcc730f3d80a7060075e3e5d.exe	27
PID 1632 wrote to memory of 1488	1632	b894b22158865089fd992565ef9e85b9cc3fa141bcc730f3d80a7060075e3e5d.exe	27
PID 1632 wrote to memory of 1488	1632	b894b22158865089fd992565ef9e85b9cc3fa141bcc730f3d80a7060075e3e5d.exe	27
PID 1632 wrote to memory of 1488	1632	b894b22158865089fd992565ef9e85b9cc3fa141bcc730f3d80a7060075e3e5d.exe	27
PID 1632 wrote to memory of 1292	1632	b894b22158865089fd992565ef9e85b9cc3fa141bcc730f3d80a7060075e3e5d.exe	28
PID 1632 wrote to memory of 1292	1632	b894b22158865089fd992565ef9e85b9cc3fa141bcc730f3d80a7060075e3e5d.exe	28
PID 1632 wrote to memory of 1292	1632	b894b22158865089fd992565ef9e85b9cc3fa141bcc730f3d80a7060075e3e5d.exe	28
PID 1632 wrote to memory of 1292	1632	b894b22158865089fd992565ef9e85b9cc3fa141bcc730f3d80a7060075e3e5d.exe	28
PID 1632 wrote to memory of 1292	1632	b894b22158865089fd992565ef9e85b9cc3fa141bcc730f3d80a7060075e3e5d.exe	28
PID 1632 wrote to memory of 1292	1632	b894b22158865089fd992565ef9e85b9cc3fa141bcc730f3d80a7060075e3e5d.exe	28
PID 1632 wrote to memory of 1292	1632	b894b22158865089fd992565ef9e85b9cc3fa141bcc730f3d80a7060075e3e5d.exe	28
PID 1632 wrote to memory of 1292	1632	b894b22158865089fd992565ef9e85b9cc3fa141bcc730f3d80a7060075e3e5d.exe	28

C:\Users\Admin\AppData\Local\Temp\b894b22158865089fd992565ef9e85b9cc3fa141bcc730f3d80a7060075e3e5d.exe
"C:\Users\Admin\AppData\Local\Temp\b894b22158865089fd992565ef9e85b9cc3fa141bcc730f3d80a7060075e3e5d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\SysWOW64\regedit.exe
  regedit /s "C:\Users\Admin\AppData\Local\Temp\Certificates.reg"
  2⤵
  - Runs .reg file with regedit
  PID:1488
- C:\Users\Admin\AppData\Local\Temp\b894b22158865089fd992565ef9e85b9cc3fa141bcc730f3d80a7060075e3e5d.exe
  C:\Users\Admin\AppData\Local\Temp\b894b22158865089fd992565ef9e85b9cc3fa141bcc730f3d80a7060075e3e5d.exe
  2⤵
  PID:1292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Certificates.reg

Filesize
10KB

MD5
8a6f74c3b2c9e752bf85259e383e9555

SHA1
fd6b9587350685fa60d0e3126913e76cbdd1ee0a

SHA256
b142b3d5d587b1b489373dbff6689547da0428fc72e889ac29fd0e259ff7c4e3

SHA512
93861ace47838b0fe066ec42c29c969e3df9c333bc76ef0e071a54a04117c9683546eeed2da6e8209f4067c94735438e6511c73aef1d84d1b162ae799e841677

Download Submit
memory/1292-55-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1292-57-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1292-60-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1292-62-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1488-56-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing