Analysis

  • max time kernel
    147s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2022 01:46

General

  • Target

    8c95640230dd09c29d68420665a9ee492c03f3d5a59084819c380046e692e3cc.exe

  • Size

    26KB

  • MD5

    8595535b946f18c37051d3a1e8cbac07

  • SHA1

    061fae33fc7d5ce3fe859c7315e292634d8eb511

  • SHA256

    8c95640230dd09c29d68420665a9ee492c03f3d5a59084819c380046e692e3cc

  • SHA512

    dfc20b9fc9adfa5bbb27bde4941d813438260940743af00b9c275cbeee9bd0d9f488d4827e90d048f9e259b033296c492a0c404c541d395d4bfaeeb6837457f3

  • SSDEEP

    768:NYzN0KzwUbKS3Eaj4FPSWVpQL9SUIcBFitkjAmiW:N00KzwUbPUFP1Q5S/cBo5

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 4 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c95640230dd09c29d68420665a9ee492c03f3d5a59084819c380046e692e3cc.exe
    "C:\Users\Admin\AppData\Local\Temp\8c95640230dd09c29d68420665a9ee492c03f3d5a59084819c380046e692e3cc.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4416
    • \??\c:\windows\mstre19.exe
      c:\windows\mstre19.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:688
      • \??\c:\windows\SysWOW64\regedit.exe
        regedit /s c:\2.reg
        3⤵
        • Modifies registry class
        • Runs .reg file with regedit
        PID:2680
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\4321f456.bat
      2⤵
        PID:1660
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:4240
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4712
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4712 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3812

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Defense Evasion

      Modify Registry

      1
      T1112

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\mstre19.exe
        Filesize

        26KB

        MD5

        8595535b946f18c37051d3a1e8cbac07

        SHA1

        061fae33fc7d5ce3fe859c7315e292634d8eb511

        SHA256

        8c95640230dd09c29d68420665a9ee492c03f3d5a59084819c380046e692e3cc

        SHA512

        dfc20b9fc9adfa5bbb27bde4941d813438260940743af00b9c275cbeee9bd0d9f488d4827e90d048f9e259b033296c492a0c404c541d395d4bfaeeb6837457f3

      • \??\c:\2.reg
        Filesize

        202B

        MD5

        428090d84a47f875c8fdd6d0258f00c5

        SHA1

        96c029720065ac1dc5ece2a5481b780267d7b439

        SHA256

        8c8668f6339728aebfc08e547f15b0e250f6a551be86f47fcb6098ffe37f0404

        SHA512

        f752bf52b359a5a82e821ee288e11cd4176c39ac3c932c6f44db69780c6e2597e654bbb3a9db9c32f8659d5af66fa9578b5625758b1f6db70c1314369dbadf7d

      • \??\c:\4321f456.bat
        Filesize

        306B

        MD5

        7463340f8e25ce5b7391e9deaa84302c

        SHA1

        76f9a3cc5f769011e69e5ead350e4a7fdd920997

        SHA256

        35f20cb6d8b21a0c209e2145ee161b3525377ee4ee5465e658842c4eb2bc88d7

        SHA512

        bcb280a8f465375d3b473c7f13c92e980f9b92bf9f4b401a94ee4f1f2b19bb44fb18532834ccb363dda714a493bbffb93aa66dc62eeb2b2c3e1c11320304c5e0

      • \??\c:\windows\mstre19.exe
        Filesize

        26KB

        MD5

        8595535b946f18c37051d3a1e8cbac07

        SHA1

        061fae33fc7d5ce3fe859c7315e292634d8eb511

        SHA256

        8c95640230dd09c29d68420665a9ee492c03f3d5a59084819c380046e692e3cc

        SHA512

        dfc20b9fc9adfa5bbb27bde4941d813438260940743af00b9c275cbeee9bd0d9f488d4827e90d048f9e259b033296c492a0c404c541d395d4bfaeeb6837457f3

      • memory/688-133-0x0000000000000000-mapping.dmp
      • memory/688-137-0x0000000000400000-0x0000000000413000-memory.dmp
        Filesize

        76KB

      • memory/1660-136-0x0000000000000000-mapping.dmp
      • memory/2680-139-0x0000000000000000-mapping.dmp
      • memory/4416-132-0x0000000000400000-0x0000000000413000-memory.dmp
        Filesize

        76KB