92cc618ee337f887284d4c08c9b4bca3330269b9ce93ac4f8cbc493c46da48f4

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92cc618ee337f887284d4c08c9b4bca3330269b9ce93ac4f8cbc493c46da48f4.exe
Size

608KB
MD5

c07c35d459dbe4fd2e6e230e9a9b8e83
SHA1

37a658665f9b9cc3712a7f91317682273a218376
SHA256

92cc618ee337f887284d4c08c9b4bca3330269b9ce93ac4f8cbc493c46da48f4
SHA512

79391946787802fdb6e0abe708748b57f391c06343a44c4e8300b8a6a5a1daaf61d5bf7fa9ee74caa1f549bb20310dabfc8ec7cd177f7d1f02b56a6768724d2f
SSDEEP

12288:FBG8Z5eJocFYE1nm2q/u45KX0bgcq0em/SQoz/m:7G8Kq1

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1196-55-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/1196-71-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/files/0x000a000000012677-74.dat	upx

Deletes itself 1 IoCs

pid	Process
1048	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1196 set thread context of 1652	1196	92cc618ee337f887284d4c08c9b4bca3330269b9ce93ac4f8cbc493c46da48f4.exe	27

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1924	reg.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 1652	1196	92cc618ee337f887284d4c08c9b4bca3330269b9ce93ac4f8cbc493c46da48f4.exe	27
PID 1196 wrote to memory of 1652	1196	92cc618ee337f887284d4c08c9b4bca3330269b9ce93ac4f8cbc493c46da48f4.exe	27
PID 1196 wrote to memory of 1652	1196	92cc618ee337f887284d4c08c9b4bca3330269b9ce93ac4f8cbc493c46da48f4.exe	27
PID 1196 wrote to memory of 1652	1196	92cc618ee337f887284d4c08c9b4bca3330269b9ce93ac4f8cbc493c46da48f4.exe	27
PID 1196 wrote to memory of 1652	1196	92cc618ee337f887284d4c08c9b4bca3330269b9ce93ac4f8cbc493c46da48f4.exe	27
PID 1196 wrote to memory of 1652	1196	92cc618ee337f887284d4c08c9b4bca3330269b9ce93ac4f8cbc493c46da48f4.exe	27
PID 1196 wrote to memory of 1652	1196	92cc618ee337f887284d4c08c9b4bca3330269b9ce93ac4f8cbc493c46da48f4.exe	27
PID 1196 wrote to memory of 1652	1196	92cc618ee337f887284d4c08c9b4bca3330269b9ce93ac4f8cbc493c46da48f4.exe	27
PID 1652 wrote to memory of 936	1652	92cc618ee337f887284d4c08c9b4bca3330269b9ce93ac4f8cbc493c46da48f4.exe	28
PID 1652 wrote to memory of 936	1652	92cc618ee337f887284d4c08c9b4bca3330269b9ce93ac4f8cbc493c46da48f4.exe	28
PID 1652 wrote to memory of 936	1652	92cc618ee337f887284d4c08c9b4bca3330269b9ce93ac4f8cbc493c46da48f4.exe	28
PID 1652 wrote to memory of 936	1652	92cc618ee337f887284d4c08c9b4bca3330269b9ce93ac4f8cbc493c46da48f4.exe	28
PID 1196 wrote to memory of 1048	1196	92cc618ee337f887284d4c08c9b4bca3330269b9ce93ac4f8cbc493c46da48f4.exe	30
PID 1196 wrote to memory of 1048	1196	92cc618ee337f887284d4c08c9b4bca3330269b9ce93ac4f8cbc493c46da48f4.exe	30
PID 1196 wrote to memory of 1048	1196	92cc618ee337f887284d4c08c9b4bca3330269b9ce93ac4f8cbc493c46da48f4.exe	30
PID 1196 wrote to memory of 1048	1196	92cc618ee337f887284d4c08c9b4bca3330269b9ce93ac4f8cbc493c46da48f4.exe	30
PID 936 wrote to memory of 1924	936	cmd.exe	32
PID 936 wrote to memory of 1924	936	cmd.exe	32
PID 936 wrote to memory of 1924	936	cmd.exe	32
PID 936 wrote to memory of 1924	936	cmd.exe	32
PID 936 wrote to memory of 1656	936	cmd.exe	33
PID 936 wrote to memory of 1656	936	cmd.exe	33
PID 936 wrote to memory of 1656	936	cmd.exe	33
PID 936 wrote to memory of 1656	936	cmd.exe	33
PID 936 wrote to memory of 1656	936	cmd.exe	33
PID 936 wrote to memory of 1656	936	cmd.exe	33
PID 936 wrote to memory of 1656	936	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\92cc618ee337f887284d4c08c9b4bca3330269b9ce93ac4f8cbc493c46da48f4.exe
"C:\Users\Admin\AppData\Local\Temp\92cc618ee337f887284d4c08c9b4bca3330269b9ce93ac4f8cbc493c46da48f4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Local\Temp\92cc618ee337f887284d4c08c9b4bca3330269b9ce93ac4f8cbc493c46da48f4.exe
  "C:\Users\Admin\AppData\Local\Temp\92cc618ee337f887284d4c08c9b4bca3330269b9ce93ac4f8cbc493c46da48f4.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Start.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations /v ModRiskFileTypes /t REG_SZ /d .exe /f
      4⤵
      Modifies registry key
      PID:1924
  - - C:\Windows\SysWOW64\gpupdate.exe
      gpupdate /force
      4⤵
      PID:1656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\jnduf.bat
  2⤵
  - Deletes itself
  PID:1048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Start.bat

Filesize
200B

MD5
9cedeb0b293d2b5491225ef3d9eb2a8b

SHA1
b607ef9bd319b6ec696c8dab8a314998d133298b

SHA256
3fc59706783a0778da9121da52a63e34e47c82f436d5b14943e14fb418fd4f08

SHA512
ec7d4544e32b1ea460895b1037a9eca2529eed45d6ee1644f83dfc4d4ad8f7c32a811ee4627bc6b243fb5d5c9e3e2b22060d6a2903692830ff1f114d2b9f3cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf.bat

Filesize
341B

MD5
fdca3b2b1a4816aae18bb6e8a04a2508

SHA1
6feb05c959f3332ada1b507da72c00763ebebab5

SHA256
dfa9ddf59ff1f217c6e7fe104bf43a3e8a3aaa2b4957916f74f20ade925530b0

SHA512
ffde80051fb1281adf3e78ed04d429004f6d7681d50b147103ab338bb1b951c0a2d8ed187a640fa6837066f33a4bd0863561e5b7d4951f4637129608921b8c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf~.tmp

Filesize
608KB

MD5
7fba722cfba0224abaf6bd896b857cd4

SHA1
04fde645a163effc56c9b26e0b6a4628101bf2c9

SHA256
1202329cdbae9d55bb7d7b4cbbadbecf20cdf5de1403927bb72fe3af5b4543ef

SHA512
dc0704f83967a6451ca0614180264ebd670a0d23652f2512d6c3eb0381a5e7399f0ed5a4ca356e2dbe6721f97f0ced56edd86109c31eecf09a2878a616a3d774

Download Submit
memory/1196-55-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1196-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1196-71-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1652-59-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1652-67-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1652-69-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1652-63-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1652-61-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1652-57-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1652-56-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download