90b74a95fbddd31d1691a93893c68ebe3bcbed962074c5aa775817a4771a7689

Analysis

max time kernel
69s
max time network
88s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 09:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

90b74a95fbddd31d1691a93893c68ebe3bcbed962074c5aa775817a4771a7689.exe
Size

685KB
MD5

f34576abfe164aa53a8e4b8fdc02334e
SHA1

53d472c861d00392a2ac0a63419fc03e72428bc0
SHA256

90b74a95fbddd31d1691a93893c68ebe3bcbed962074c5aa775817a4771a7689
SHA512

c65fb75cd5e2575e312b73b6e9d0ea5ad3101d6bd38d2a2c35dcb553b885ac14e0f63dd4c0853489e84b9384fabebd300534a3c123b00ae31392a8824c132256
SSDEEP

12288:Y7wMuUzmA/EQtv6jlxqAq7ahmhVH7moEGCnxjyRy8yP:Y7RVzrEQtvWCAROxEhFDzP

Score

8^/10

persistence upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1324-55-0x0000000000400000-0x00000000004AD000-memory.dmp	upx
behavioral1/memory/1324-56-0x0000000000400000-0x00000000004AD000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	90b74a95fbddd31d1691a93893c68ebe3bcbed962074c5aa775817a4771a7689.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ÏµÍ³Ê±¼ä½ÃÕýÆ÷.exe = "c:\\Program Files\\SysTime\\ÏµÍ³Ê±¼ä½ÃÕýÆ÷.exe"	90b74a95fbddd31d1691a93893c68ebe3bcbed962074c5aa775817a4771a7689.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	\??\c:\Program Files\SysTime\ÏµÍ³Ê±¼ä½ÃÕýÆ÷.exe	90b74a95fbddd31d1691a93893c68ebe3bcbed962074c5aa775817a4771a7689.exe
File opened for modification	\??\c:\Program Files\SysTime\ÏµÍ³Ê±¼ä½ÃÕýÆ÷.exe	90b74a95fbddd31d1691a93893c68ebe3bcbed962074c5aa775817a4771a7689.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1324	90b74a95fbddd31d1691a93893c68ebe3bcbed962074c5aa775817a4771a7689.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1324	90b74a95fbddd31d1691a93893c68ebe3bcbed962074c5aa775817a4771a7689.exe

C:\Users\Admin\AppData\Local\Temp\90b74a95fbddd31d1691a93893c68ebe3bcbed962074c5aa775817a4771a7689.exe
"C:\Users\Admin\AppData\Local\Temp\90b74a95fbddd31d1691a93893c68ebe3bcbed962074c5aa775817a4771a7689.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1324-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download
memory/1324-55-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/1324-56-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download