8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe

Analysis

max time kernel
185s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 01:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Size

388KB
MD5

796d2e3103b5f1159136297b474a40ba
SHA1

d2913dcd549734e752701e2d5fd4910201b243f4
SHA256

8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe
SHA512

d99c449b8601a470108889767da4d61075c68f44574fc07e84a4d3cb6cec7395576c8b2000aec7ea05c60ab493e5882d182dc915747498b9635eebc8de1c102e
SSDEEP

6144:96izSHaP1HIMd6gpWgUKlTUQ6GYDQeFQLNjBSY5l5SjoF1U:wiWHaRIMd/TUKlTKVDQeFQLNlSKE

Score

8^/10

persistence upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\TXP1atform.exe	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
File opened for modification	C:\Windows\SysWOW64\drivers\TXP1atform.exe	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe

Executes dropped EXE 1 IoCs

pid	Process
2628	TXP1atform.exe

Sets file execution options in registry 2 TTPs 45 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NGEN.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RDRCEF.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SDXHELPER.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPOOLSV.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WORDCONV.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOSREC.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SVCHOST.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXCELCNV.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GOOGLEUPDATE.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GRAPH.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEINSTAL.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MICROSOFTEDGEUPDATE.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSQRY32.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXTEXPORT.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IE4UINIT.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEUNATT.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\POWERPNT.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PRINTDIALOG.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RDRSERVICESUPDATER.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLVIEW.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSCORSVW.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOADFSB.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOXMLED.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NGENTASK.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEXPLORE.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSHTA.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ORGCHART.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WINWORD.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ACRORD32.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IELOWUTIL.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSFEEDSSYNC.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOHTMED.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PRESENTATIONHOST.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RUNTIMEBROKER.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SELFCERT.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SYSTEMSETTINGS.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ACRORD32INFO.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXCEL.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOASB.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOSYNC.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PRINTISOLATIONHOST.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SETLANG.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPLWOW64.EXE	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1684-132-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/files/0x0006000000023168-136.dat	upx
behavioral2/files/0x0006000000023168-137.dat	upx
behavioral2/memory/2628-138-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/1684-139-0x0000000000400000-0x000000000044A000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1684	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
1684	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
1684	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
1684	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
2628	TXP1atform.exe
2628	TXP1atform.exe
2628	TXP1atform.exe
2628	TXP1atform.exe
2628	TXP1atform.exe
2628	TXP1atform.exe
2628	TXP1atform.exe
2628	TXP1atform.exe
2628	TXP1atform.exe
2628	TXP1atform.exe
2628	TXP1atform.exe
2628	TXP1atform.exe
2628	TXP1atform.exe
2628	TXP1atform.exe
2628	TXP1atform.exe
2628	TXP1atform.exe
2628	TXP1atform.exe
2628	TXP1atform.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 4104	1684	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe	82
PID 1684 wrote to memory of 4104	1684	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe	82
PID 1684 wrote to memory of 4104	1684	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe	82
PID 1684 wrote to memory of 2628	1684	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe	84
PID 1684 wrote to memory of 2628	1684	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe	84
PID 1684 wrote to memory of 2628	1684	8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe	84

C:\Users\Admin\AppData\Local\Temp\8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe
"C:\Users\Admin\AppData\Local\Temp\8b2185a2ffe8fb0a516756aaeb134b8e3fedd499572badb72aa71c67a58932fe.exe"
1⤵
- Drops file in Drivers directory
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\32$$.bat
  2⤵
  PID:4104
- C:\Windows\SysWOW64\drivers\TXP1atform.exe
  C:\Windows\system32\drivers\TXP1atform.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\32$$.bat

Filesize
677B

MD5
ad7ed2c20cbaed1791dc670bc806440f

SHA1
db2ddf7049ab36742be0662da9522fd1182d355d

SHA256
7a8554075b296b520841f3cefa501743b1b44360b7a0c7d9b8ef1b6039c42c86

SHA512
add46661ccad30b4bb3cd72a2253cdcb7bedee03ee4e25f1addb0188a858da7dbfdce233dab3e05b0d512185dc76bf8525bb0304441524c491dd0f026752859d

Download Submit
C:\Windows\SysWOW64\drivers\TXP1atform.exe

Filesize
76KB

MD5
0355722a11f1797aa6c1e1ca3c098df7

SHA1
af1acc8fedf6e1d634118863a0a7758ed10f4646

SHA256
3b92d3565d46ba90bfccf02fa440c65102cda96f3a67ffec8e06150fa7602532

SHA512
2dd5e55b8146c1c40a18de790a15134e89e2258c805c13ea34d8b9bb7c2208ff994f5446a73e64d68c6737e4301e08cce175ac630d6ee4080aa63178257a429f

Download Submit
C:\Windows\SysWOW64\drivers\TXP1atform.exe

Filesize
76KB

MD5
0355722a11f1797aa6c1e1ca3c098df7

SHA1
af1acc8fedf6e1d634118863a0a7758ed10f4646

SHA256
3b92d3565d46ba90bfccf02fa440c65102cda96f3a67ffec8e06150fa7602532

SHA512
2dd5e55b8146c1c40a18de790a15134e89e2258c805c13ea34d8b9bb7c2208ff994f5446a73e64d68c6737e4301e08cce175ac630d6ee4080aa63178257a429f

Download Submit
memory/1684-132-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1684-139-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2628-138-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download