db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c

Analysis

max time kernel
93s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2022 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
Size

454KB
MD5

ff4f66b9c182c1ebced680589b0ac953
SHA1

8f0c7826d0bd2976243a0b308fd0de8887b3565a
SHA256

db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c
SHA512

48478a4b216a407c0cc40843bba7c1f2567c9c8fea08f69059d9c6f87ba6741635b5e5fc155d7f9785d89b76fcbd9998a2486b2ccac2ac66aa5d19b32b60e770
SSDEEP

12288:wxoXutyRsfnortLcLt/KHsrgHwCU1Wp86X1T5zXT:wxoA3CM/yskHwCU1KvlNH

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4488	kA01803JmCmK01803.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1164-132-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral2/memory/1164-137-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral2/memory/4488-139-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral2/memory/4488-142-0x0000000000400000-0x00000000004C1000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kA01803JmCmK01803 = "C:\\ProgramData\\kA01803JmCmK01803\\kA01803JmCmK01803.exe"	kA01803JmCmK01803.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1064	4488	WerFault.exe	79

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
4488	kA01803JmCmK01803.exe
4488	kA01803JmCmK01803.exe
4488	kA01803JmCmK01803.exe
4488	kA01803JmCmK01803.exe
4488	kA01803JmCmK01803.exe
4488	kA01803JmCmK01803.exe
4488	kA01803JmCmK01803.exe
4488	kA01803JmCmK01803.exe
4488	kA01803JmCmK01803.exe
4488	kA01803JmCmK01803.exe
4488	kA01803JmCmK01803.exe
4488	kA01803JmCmK01803.exe
4488	kA01803JmCmK01803.exe
4488	kA01803JmCmK01803.exe
4488	kA01803JmCmK01803.exe
4488	kA01803JmCmK01803.exe
4488	kA01803JmCmK01803.exe
4488	kA01803JmCmK01803.exe
4488	kA01803JmCmK01803.exe
4488	kA01803JmCmK01803.exe
4488	kA01803JmCmK01803.exe
4488	kA01803JmCmK01803.exe
4488	kA01803JmCmK01803.exe
4488	kA01803JmCmK01803.exe
4488	kA01803JmCmK01803.exe
4488	kA01803JmCmK01803.exe
4488	kA01803JmCmK01803.exe
4488	kA01803JmCmK01803.exe
4488	kA01803JmCmK01803.exe
4488	kA01803JmCmK01803.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
Token: SeDebugPrivilege	4488	kA01803JmCmK01803.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 4488	1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe	79
PID 1164 wrote to memory of 4488	1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe	79
PID 1164 wrote to memory of 4488	1164	db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe	79

C:\Users\Admin\AppData\Local\Temp\db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe
"C:\Users\Admin\AppData\Local\Temp\db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164
- C:\ProgramData\kA01803JmCmK01803\kA01803JmCmK01803.exe
  "C:\ProgramData\kA01803JmCmK01803\kA01803JmCmK01803.exe" "C:\Users\Admin\AppData\Local\Temp\db62a3effdddd7c63dc88db492c5176ed65d3e4bb22e84b24ead3c30a166bb4c.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 1328
    3⤵
    - Program crash
    PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4488 -ip 4488
1⤵
PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kA01803JmCmK01803\kA01803JmCmK01803.exe

Filesize
454KB

MD5
fd1e09dc3aa93bc2949b10dfdb84c6bb

SHA1
2872e641904f7dd0fc6e17408c0f44f5605ce5fd

SHA256
92a790b301a4e70c48a235a4c781765db5cec0699bf214c193f85fffea11d4eb

SHA512
78c9e19d72156096401c323060da74d4176dcbce27d08a0db2ed526fb159ee21b6dab78f9a6cbedf885985a553ec022e23362fbd06b4d86687cf5042819ff163

Download Submit
C:\ProgramData\kA01803JmCmK01803\kA01803JmCmK01803.exe

Filesize
454KB

MD5
fd1e09dc3aa93bc2949b10dfdb84c6bb

SHA1
2872e641904f7dd0fc6e17408c0f44f5605ce5fd

SHA256
92a790b301a4e70c48a235a4c781765db5cec0699bf214c193f85fffea11d4eb

SHA512
78c9e19d72156096401c323060da74d4176dcbce27d08a0db2ed526fb159ee21b6dab78f9a6cbedf885985a553ec022e23362fbd06b4d86687cf5042819ff163

Download Submit
memory/1164-132-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1164-133-0x00000000006F2000-0x0000000000741000-memory.dmp

Filesize
316KB

Download
memory/1164-137-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1164-138-0x00000000006F2000-0x0000000000741000-memory.dmp

Filesize
316KB

Download
memory/4488-139-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4488-140-0x0000000000821000-0x0000000000870000-memory.dmp

Filesize
316KB

Download
memory/4488-141-0x0000000000821000-0x0000000000870000-memory.dmp

Filesize
316KB

Download
memory/4488-142-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4488-143-0x0000000000821000-0x0000000000870000-memory.dmp

Filesize
316KB

Download