87a2754affb566ccd52b2ffe474ffbe9dd90ffd020bd9bd4a18250d9c8485f8b

Analysis

max time kernel
151s
max time network
186s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87a2754affb566ccd52b2ffe474ffbe9dd90ffd020bd9bd4a18250d9c8485f8b.exe
Size

279KB
MD5

e9c0b54713c3f58985f6502d05813b5b
SHA1

7d4e368512a44776b2a9273465bb978d810b6f5a
SHA256

87a2754affb566ccd52b2ffe474ffbe9dd90ffd020bd9bd4a18250d9c8485f8b
SHA512

6cb135263f9aab6543971f852dae2fd304d48ff81ec9a69c4888961afffe5c4ea4ab07ab7a939aad3f937e1ed08801062363e76dbe2202df0d157c962ed8cba3
SSDEEP

6144:CGahaRFe4Bk/K/jNrart0Nz1rH/MWQDTi86OuyTtRN9vVti:CGiavOMxiW901i85uyxR

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1136	uplii.exe

Deletes itself 1 IoCs

pid	Process
1036	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1352	87a2754affb566ccd52b2ffe474ffbe9dd90ffd020bd9bd4a18250d9c8485f8b.exe
1352	87a2754affb566ccd52b2ffe474ffbe9dd90ffd020bd9bd4a18250d9c8485f8b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run	uplii.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7BD94DA8-4FEF-AD4D-5225-887A4931AB67} = "C:\\Users\\Admin\\AppData\\Roaming\\Awyw\\uplii.exe"	uplii.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1352 set thread context of 1036	1352	87a2754affb566ccd52b2ffe474ffbe9dd90ffd020bd9bd4a18250d9c8485f8b.exe	28

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1136	uplii.exe
1136	uplii.exe
1136	uplii.exe
1136	uplii.exe
1136	uplii.exe
1136	uplii.exe
1136	uplii.exe
1136	uplii.exe
1136	uplii.exe
1136	uplii.exe
1136	uplii.exe
1136	uplii.exe
1136	uplii.exe
1136	uplii.exe
1136	uplii.exe
1136	uplii.exe
1136	uplii.exe
1136	uplii.exe
1136	uplii.exe
1136	uplii.exe
1136	uplii.exe
1136	uplii.exe
1136	uplii.exe
1136	uplii.exe
1136	uplii.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 1136	1352	87a2754affb566ccd52b2ffe474ffbe9dd90ffd020bd9bd4a18250d9c8485f8b.exe	27
PID 1352 wrote to memory of 1136	1352	87a2754affb566ccd52b2ffe474ffbe9dd90ffd020bd9bd4a18250d9c8485f8b.exe	27
PID 1352 wrote to memory of 1136	1352	87a2754affb566ccd52b2ffe474ffbe9dd90ffd020bd9bd4a18250d9c8485f8b.exe	27
PID 1352 wrote to memory of 1136	1352	87a2754affb566ccd52b2ffe474ffbe9dd90ffd020bd9bd4a18250d9c8485f8b.exe	27
PID 1136 wrote to memory of 1112	1136	uplii.exe	17
PID 1136 wrote to memory of 1112	1136	uplii.exe	17
PID 1136 wrote to memory of 1112	1136	uplii.exe	17
PID 1136 wrote to memory of 1112	1136	uplii.exe	17
PID 1136 wrote to memory of 1112	1136	uplii.exe	17
PID 1136 wrote to memory of 1172	1136	uplii.exe	10
PID 1136 wrote to memory of 1172	1136	uplii.exe	10
PID 1136 wrote to memory of 1172	1136	uplii.exe	10
PID 1136 wrote to memory of 1172	1136	uplii.exe	10
PID 1136 wrote to memory of 1172	1136	uplii.exe	10
PID 1136 wrote to memory of 1212	1136	uplii.exe	16
PID 1136 wrote to memory of 1212	1136	uplii.exe	16
PID 1136 wrote to memory of 1212	1136	uplii.exe	16
PID 1136 wrote to memory of 1212	1136	uplii.exe	16
PID 1136 wrote to memory of 1212	1136	uplii.exe	16
PID 1136 wrote to memory of 1352	1136	uplii.exe	26
PID 1136 wrote to memory of 1352	1136	uplii.exe	26
PID 1136 wrote to memory of 1352	1136	uplii.exe	26
PID 1136 wrote to memory of 1352	1136	uplii.exe	26
PID 1136 wrote to memory of 1352	1136	uplii.exe	26
PID 1352 wrote to memory of 1036	1352	87a2754affb566ccd52b2ffe474ffbe9dd90ffd020bd9bd4a18250d9c8485f8b.exe	28
PID 1352 wrote to memory of 1036	1352	87a2754affb566ccd52b2ffe474ffbe9dd90ffd020bd9bd4a18250d9c8485f8b.exe	28
PID 1352 wrote to memory of 1036	1352	87a2754affb566ccd52b2ffe474ffbe9dd90ffd020bd9bd4a18250d9c8485f8b.exe	28
PID 1352 wrote to memory of 1036	1352	87a2754affb566ccd52b2ffe474ffbe9dd90ffd020bd9bd4a18250d9c8485f8b.exe	28
PID 1352 wrote to memory of 1036	1352	87a2754affb566ccd52b2ffe474ffbe9dd90ffd020bd9bd4a18250d9c8485f8b.exe	28
PID 1352 wrote to memory of 1036	1352	87a2754affb566ccd52b2ffe474ffbe9dd90ffd020bd9bd4a18250d9c8485f8b.exe	28
PID 1352 wrote to memory of 1036	1352	87a2754affb566ccd52b2ffe474ffbe9dd90ffd020bd9bd4a18250d9c8485f8b.exe	28
PID 1352 wrote to memory of 1036	1352	87a2754affb566ccd52b2ffe474ffbe9dd90ffd020bd9bd4a18250d9c8485f8b.exe	28
PID 1352 wrote to memory of 1036	1352	87a2754affb566ccd52b2ffe474ffbe9dd90ffd020bd9bd4a18250d9c8485f8b.exe	28

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\87a2754affb566ccd52b2ffe474ffbe9dd90ffd020bd9bd4a18250d9c8485f8b.exe
  "C:\Users\Admin\AppData\Local\Temp\87a2754affb566ccd52b2ffe474ffbe9dd90ffd020bd9bd4a18250d9c8485f8b.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Users\Admin\AppData\Roaming\Awyw\uplii.exe
    "C:\Users\Admin\AppData\Roaming\Awyw\uplii.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1136
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp4114e117.bat"
    3⤵
    - Deletes itself
    PID:1036

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4114e117.bat

Filesize
307B

MD5
9d3b35bfe181d503e8bb66049fea80cd

SHA1
3206ae70a998c283fcbbf18ba76b71d2770a0fdd

SHA256
741a7bec41b207500b9b89e20a727eaec80953e3b5d4022b4810229db40c9817

SHA512
2a5cc013e60ecf4ca7f16ef961ae2936394d76b1b3c2e0e468045c2892552b8110102b97e8574666e9abaecf39471bc12a3f97f75fdd8fe1be65747e82d063b7

Download Submit
C:\Users\Admin\AppData\Roaming\Awyw\uplii.exe

Filesize
279KB

MD5
a547ff02f5f41618586917aa0b211765

SHA1
fbcb6d4a35f03e49b928538886bd321b398067cf

SHA256
6392db17be3ed0518e3482f35eed0594c906da498b72c77fb55dbff3b44783c3

SHA512
7c27b9d240a3e38b4575539a30b7a40d1a6aa646f02612b946fd2198f68d55808822c31e5f73b423bbfb42ef2b5120c7e013ef270de5bffcf7b54af1aa54fa32

Download Submit
C:\Users\Admin\AppData\Roaming\Awyw\uplii.exe

Filesize
279KB

MD5
a547ff02f5f41618586917aa0b211765

SHA1
fbcb6d4a35f03e49b928538886bd321b398067cf

SHA256
6392db17be3ed0518e3482f35eed0594c906da498b72c77fb55dbff3b44783c3

SHA512
7c27b9d240a3e38b4575539a30b7a40d1a6aa646f02612b946fd2198f68d55808822c31e5f73b423bbfb42ef2b5120c7e013ef270de5bffcf7b54af1aa54fa32

Download Submit
\Users\Admin\AppData\Roaming\Awyw\uplii.exe

Filesize
279KB

MD5
a547ff02f5f41618586917aa0b211765

SHA1
fbcb6d4a35f03e49b928538886bd321b398067cf

SHA256
6392db17be3ed0518e3482f35eed0594c906da498b72c77fb55dbff3b44783c3

SHA512
7c27b9d240a3e38b4575539a30b7a40d1a6aa646f02612b946fd2198f68d55808822c31e5f73b423bbfb42ef2b5120c7e013ef270de5bffcf7b54af1aa54fa32

Download Submit
\Users\Admin\AppData\Roaming\Awyw\uplii.exe

Filesize
279KB

MD5
a547ff02f5f41618586917aa0b211765

SHA1
fbcb6d4a35f03e49b928538886bd321b398067cf

SHA256
6392db17be3ed0518e3482f35eed0594c906da498b72c77fb55dbff3b44783c3

SHA512
7c27b9d240a3e38b4575539a30b7a40d1a6aa646f02612b946fd2198f68d55808822c31e5f73b423bbfb42ef2b5120c7e013ef270de5bffcf7b54af1aa54fa32

Download Submit
memory/1036-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1036-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1036-111-0x0000000000050000-0x0000000000096000-memory.dmp

Filesize
280KB

Download
memory/1036-98-0x0000000000050000-0x0000000000096000-memory.dmp

Filesize
280KB

Download
memory/1036-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1036-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1036-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1036-104-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1036-100-0x0000000000050000-0x0000000000096000-memory.dmp

Filesize
280KB

Download
memory/1036-96-0x0000000000050000-0x0000000000096000-memory.dmp

Filesize
280KB

Download
memory/1036-99-0x0000000000050000-0x0000000000096000-memory.dmp

Filesize
280KB

Download
memory/1112-68-0x0000000000360000-0x00000000003A6000-memory.dmp

Filesize
280KB

Download
memory/1112-70-0x0000000000360000-0x00000000003A6000-memory.dmp

Filesize
280KB

Download
memory/1112-65-0x0000000000360000-0x00000000003A6000-memory.dmp

Filesize
280KB

Download
memory/1112-67-0x0000000000360000-0x00000000003A6000-memory.dmp

Filesize
280KB

Download
memory/1112-69-0x0000000000360000-0x00000000003A6000-memory.dmp

Filesize
280KB

Download
memory/1136-62-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1172-76-0x0000000000220000-0x0000000000266000-memory.dmp

Filesize
280KB

Download
memory/1172-73-0x0000000000220000-0x0000000000266000-memory.dmp

Filesize
280KB

Download
memory/1172-75-0x0000000000220000-0x0000000000266000-memory.dmp

Filesize
280KB

Download
memory/1172-74-0x0000000000220000-0x0000000000266000-memory.dmp

Filesize
280KB

Download
memory/1212-82-0x00000000029C0000-0x0000000002A06000-memory.dmp

Filesize
280KB

Download
memory/1212-79-0x00000000029C0000-0x0000000002A06000-memory.dmp

Filesize
280KB

Download
memory/1212-81-0x00000000029C0000-0x0000000002A06000-memory.dmp

Filesize
280KB

Download
memory/1212-80-0x00000000029C0000-0x0000000002A06000-memory.dmp

Filesize
280KB

Download
memory/1352-87-0x0000000000750000-0x0000000000796000-memory.dmp

Filesize
280KB

Download
memory/1352-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1352-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1352-102-0x0000000000750000-0x0000000000796000-memory.dmp

Filesize
280KB

Download
memory/1352-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1352-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1352-54-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1352-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1352-88-0x0000000000750000-0x0000000000796000-memory.dmp

Filesize
280KB

Download
memory/1352-86-0x0000000000750000-0x0000000000796000-memory.dmp

Filesize
280KB

Download
memory/1352-85-0x0000000000750000-0x0000000000796000-memory.dmp

Filesize
280KB

Download
memory/1352-56-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1352-55-0x0000000000401000-0x000000000043F000-memory.dmp

Filesize
248KB

Download